Hello,
We recently tracked down a botnet that attacked our network. We found the
C&C server, it has approximately 40-50 servers, consisting of mostly *nix
machines with high speed connections, for example AWS servers or dedicated,
attack capacity is 4-5Gb/s or more. Is there any contacts with law
enforcement here that I can send over the info too?
.
Sure is. Check with your local FBI office.
/bill
FBI sure - but if you have AWS servers in the mix, contact Amazon
security first.
Do you know how responsive and effective that is out here in rural america? usually nada even if you can even find someone who speaks tech.
I gave my local a C&C complete with location in Phoenix and details on all the Italian bank intercepts that were stored there (open directory) and 2 weeks later it was still operating.
Tom
The IP's are masked, you only see part of the IP/hostname, if there is
someone from amazon here, feel free to contact me.
The C&C is hosted at theplanet/softlayer
I bet the FBI is going to be _particularly_ focused on dealing with
botnets in the coming months. :o)
But yes, the FBI is the place to go after contacting whatever abuse
departments you can. (It's good to have a little courtesy before
bringing out the sledge hammer).
We've been contacted by the Secret Service before regarding customer
servers that have been doing shady stuff. apparently they do alot of the
cybercrime work for the federal government. from what I've seen we've been
contacted more by them then the FBI. I did email a contact from the SS from
a issue early in 2011, hopefully he responds.
I attended a Cisco seminar on infrastructure security where the speaker was a former FBI agent. For reporting computer-related crimes, he recommended contacting your local Infragard office.
Of course I noticed that Infragard was hacked by LulzSec last June, so YMMV.
The appropriately named SS mainly deals with counterfeit currency,
widespread ID theft (See also: Ryan1918) and threats to the President.
There is nothing really you can do and this is why:
1. If you contact the domain name provider, a backup domain is likely
being used, so if that is shutdown you loose you mole in your "whack a
mole" game.
2. If you contact TP/Softlayer, see point #1
3. I've had law enforcement become more interested in questionable
images, which were probable cause, hosted on a third party public
image sharing service than actually handing over information of law
enforcement value because you'll get that "we are looking into it"
response. The probable cause example turned into a quick warrant and
the suspect was arrested later that week.
4. I used to chase botnets. The emphasis is on "used to". It will burn
you out dealing it so much.
I would heed the advice of contacting cybercrime.gov and if you catch
bits and pieces of a domain name, send an email to the abuse contact.
EDU abuse contacts are wonderfully helpful if they are a decent sized
school. If they are some art college near Boston, good luck.
Depends where they are located. I found Europol and the NHTCU somewhat
helpful (but slow) to deal with some botnets controlled in Macedonia and
Latvia. NHTCU were contacted because of the location of one of the attacked
hosts.
Actually, they have statutory authority to deal with computer crime,
too; see http://www.secretservice.gov/criminal.shtml and
http://www.law.cornell.edu/uscode/18/1030.html
--Steve Bellovin, https://www.cs.columbia.edu/~smb
From memory Ameen Pishdadi is the owner of GIGENET, run by Paul Ashley (Aka XEROX), and comprised of the IP space and assets of FOONET. One would think that he has much contact with law enforcement.
Or does my memory fail me?
Andrew
Andrew , it does fail you. The 35+ employees that work for GigeNET would be
really insulted by you insinuating that there job roles have no merit. The
combination of all the things they do is what makes the company run. So no
Paul does not run the company, put down the crack pipe.
Why don't you find something else to troll beside a mailing list of
industry professionals and a legitimate request for help.