Hi,
you probably didnt think of this but it might not be a good idea to publish a
list of 3000 computers than can be infected/taken over for further nastiness.
if you can privately send me a list of Ip addresses (no need to sort) i can
assist you to distribute this information securely?
Hi,
you probably didnt think of this but it might not be a good idea to publish a list of 3000 computers than can be infected/taken over for further nastiness.
if you can privately send me a list of Ip addresses (no need to sort) i can
assist you to distribute this information securely?
I don't reply to posts just to agree in quite a few years now. In this case I feel very strongly about it, though.
Me Too!
I am sure these 3K users will appreciate getting re-pwned by 20 Bad Guys from nanog.
Here's a different version of the above, host'ed, awk'ed and sorted.
NOTE: several of those hostnanes did not resolve, so this list is not an
exact duplicate.
If you grabed this in the past few minutes, you might want to re-grab
it. I didn't realize that there were some IP addrs in the original
file. I regenerated the list and there are now 3085 IPs in that list.
: Wasn't there supposed to be special mail list setup for botnet
: tracking?
:
: If so can we please move this thread there and not continue it on main
: nanog list...
You don't mass an army if you're not about to use it. This situation can (very quickly) have operational relevance. Bringing it to light to a wider forum than special interest groups is a good idea.
You'd certainly care more if it was pointed at you.
You don't mass an army if you're not about to use it.
3000 is no longer that large, maybe a brigade but not an "army"...
This situation can (very quickly) have operational relevance.
If every botnet investigation is brought up at nanog, the list itself will
loose relevence.
Bringing it to light to a wider forum than special interest groups is
a good idea.
Appropriate people already saw the list and will take care. There are also
special tools available that will take list of ip addresses and notify
appropriate networks, doing it manually and then letting all list know
(epsecially nanog which has not only whitehats but number of blackhats)
is in itself a security issue as has already been pointed out.
Hi,
you probably didnt think of this but it might not be a good idea to publish a list of 3000 computers than can be infected/taken over for further nastiness.
Collecting that kind of list on any machine on the public internet takes only a day or so, so I don't think posting a list, where some of the IP's change anyway should be considered a security threat.
if you can privately send me a list of Ip addresses (no need to sort) i can
assist you to distribute this information securely?
The kiddies have been doing it for *years* on IRC to make their hostnames show
up as various 31337 values on a /who. In fact, if you know what you're doing
you don't even need control of the PTR record - many older versions of BIND
were incredibly susceptible to DNS cache poisoning.
Isn't it a good idea to collect the IP addresses rather than the ptr
name? For instance, if I were an evil person in control of the ptr
record of my own IP, I could easily make the name something like 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never
be sure you got the right details!
Something like this is probably not very widespread (has anyone seen it
in practice?), but I still think that for tracking purposes, ptr records
are useless. IMHO.
PTR records are just as pointless as A records...
in a secured DNS heirarchy, this is less of an issue
since you have to spoof the entire delegation chain.
so either trust the DNS (both forward and reverse)
or not. For forensics, collect the DNS lables and the
IP addresses associated w/ them.
and yes, i have seen DNS spoofing in the wild, both A
and PTR, although A spoofing is much more pronounced.
Not possible with most modern IRCD's since they check forward and reverse dns.
So for example if your address is:
1.2.3.4
and that resolves to: 1-2-3-4.dsl.verizon.net
the ircd make sure that: 1-2-3-4.dsl.verizon.net
resolves back to
1.2.3.4
it's a simple and elegant solution that basically stops spoofing of this nature, on IRC anyway....
Isn't it a good idea to collect the IP addresses rather than the ptr
name? For instance, if I were an evil person in control of the ptr
record of my own IP, I could easily make the name something like 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never
be sure you got the right details!
Something like this is probably not very widespread (has anyone seen it
in practice?), but I still think that for tracking purposes, ptr records
are useless. IMHO.
You are right, people can change it to be whatever they like, potentially.
What if they wanted to change the IP?
Think about what you said, and you will see why you are wrong.
PTR records are just as pointless as A records...
in a secured DNS heirarchy, this is less of an issue
We are not quite there yet, are we?
since you have to spoof the entire delegation chain.
so either trust the DNS (both forward and reverse)
or not. For forensics, collect the DNS lables and the
IP addresses associated w/ them.
and yes, i have seen DNS spoofing in the wild, both A
and PTR, although A spoofing is much more pronounced.
Not possible with most modern IRCD's since they check forward and reverse dns.
So for example if your address is:
1.2.3.4
and that resolves to: 1-2-3-4.dsl.verizon.net
the ircd make sure that: 1-2-3-4.dsl.verizon.net
resolves back to
1.2.3.4
it's a simple and elegant solution that basically stops spoofing of this nature, on IRC anyway....
I wouldn't collect the contents of an A record, if that's what you mean.
I meant that it would be better to collect the IP of whoever is
connected to the irc server directly, eliminating the entire, possibly
misleading, step of DNS lookups. Faking that IP is more difficult.
I always store the original IP. If the PTR record matches with the A
record (aka "paranoid DNS") then I additionally store the hostname from
the A record, and permit the connection to go through.
But no matter what, always store the original IP. It's just four more bytes
(sixteen for IPng), and TCP is more difficult to spoof than DNS.
I wouldn't collect the contents of an A record, if that's what you mean.
I meant that it would be better to collect the IP of whoever is
connected to the irc server directly, eliminating the entire, possibly
misleading, step of DNS lookups. Faking that IP is more difficult.
Agreed.
I always store the original IP. If the PTR record matches with the A
record (aka "paranoid DNS") then I additionally store the hostname from
the A record, and permit the connection to go through.
But no matter what, always store the original IP. It's just four more bytes
(sixteen for IPng), and TCP is more difficult to spoof than DNS.
In the case of the actual drones, I don't see why you'd need the PTR, although it helped me out before.
In the case of C&C's.. PTR, A, etc. could be critical.