[ Edited and resent, the first appears to have vanished in transit ]
I concede the point that operational tracking of botnets doesn't belong here, and I offer apologies to Martin, and the list in general, for not counting to ten before replying to his email. However, simply suppressing discussion of the topics isn't a good way to foster a cooperative working environment.
I'd like to thank those few folks who corrected me, today. I was wrong in what I felt was appropriate, and I shouldn't have gone off in the manner I did.
Moving to a more productive stance for this thread:
How many people have subbed in the past month? The past year? There's stuff in the FAQ about what's directly relevent to this particular list, but there are a million related sub-topics with low level chatter that would overwhelm a single list, like this one. Is there a helpful resource that references these lists, to give subscribers a better grasp on topic specific lists that other nanog users deem productive, clue packed and useful?
- billn
I don't know how relevant this is to your question, but since it was
part of the Subject here it goes: The botlist MUST have been
interesting to a sizable number of NANOG'ers. At least 305 people
(different IPs) downloaded the version that I posted here last night.
-Jim P.
Yes, there are number of good netadmins who want to make sure they don't
have one of these bots on their network (and number of bad guys who
want to see entire list), but if you consider total number of networks
in the world, 305 is not all that many and I doubt most of the bots
on that list were killed because people found the list at nanog...
However since there was shown enough of the interest from people on nanog@
to help in killing bots and knowing about it, may I suggest that people
who are doing the tracking setup the following:
1. Website where person can come and enter ip address block or domain
and see number of bots on that network (but not actual ip addresses).
2. After that the person should be able to register (entering full
name and contact data and company he/she works) and can than get
access to see entire list of ip addresses for particular company
(and possibly even do more and mark ips that have been taken care of).
3. Additionally there could be regular post on nanog@ (once/week or
once/month depending how much nanog can tolerate) reminding of the
website and with summary including total number of botnet ip
addresses listed in the database, plus possibly list of 10 networks
that have largest number of unhandled bots.
So, Gadi, are you taking notes?
For the DNSBLs that list things like proxies, most of them also
offer to sent notifications to AS or netblock contacts, so if you're
interested in that then contact them too.
If you're listing IP's, it helps if you also attach a timestamp so those of us
with large dialup and DHCP pools have a snowball's chance. (Make note - a
"taken care of" page *also* needs the timestamp so we can check the right one
off).
And, for those who are not used to troubleshooting incidents with people in distant timezones, specify the timezone somewhere (e.g. "all dates/times are UTC", "all dates/times are UTC-8").
People should also remember that just because it's February 10 in my timezone right now doesn't mean it's not February 11 elsewhere -- so, dates need timezones too, even if no time is specified.
Joe