The problem with that is the list rapidly updates
and must be maintained with some level of frequency
and there's a level of trust involved in it as well.
Going after the bots is lesser effort. The controllers are
a priority.
-M<
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
J. Oquendo
Sent: Thursday, October 07, 2004 1:11 AM
To: nanog@merit.edu
Subject: short Botnet list and Cashing in on DoSI've been slowly compiling a list of known botnets should
anyone care to filter, or check them in your netblocks if
someone in your
range is passing off garbage, etc. Information has been
passed from others
admins having to deal with these pest. Care to pass on a host
that you're
seeing I'll post it for others to see as well. Perhaps when I have
spare time, I may or may not throw up something where admins
can check,
add, hosts they're seeing. Don't know if I want my connection getting
toasted for doing so, but it could be something informative, a-la
spamhaus. Bothaus anyone?The problem with that is the list rapidly updates
and must be maintained with some level of frequency
and there's a level of trust involved in it as well.Going after the bots is lesser effort. The controllers are
a priority.
And it's in this arena that honeypots become most valuable, although if I personally were going to do something like this, I'd be logged in from a login from a login over a netzero dialup over a previously-discovered open-proxy.
The beauty is that script-kiddies aren't that intelligent.
-Dan
Going after the bots is lesser effort. The controllers are
a priority.
That's not happening.
AV companies are mostly interested in hyping the latest worm or semi-worm. Drone armies, hundreds of thousands large (no exaggeration) are just too much of an effort with 1000+ new Trojan horses coming out every month.
Also, there are virtually no resources directed at this problem except for a _few_ numbered concerned individuals from various corporate security teams and a few people who use IRC networks, world-wide.
As long as so many computers are out there for the taking, it is almost an impossible war.
Maybe it would be possible to check if any users from a location you are in-charge of are connecting to these IP's and sending them an automated email about their security plus a deal on an AV product (whatever it is worth for this)?
I doubt many here have the time to even consider such an effort, even with the deal.
There are easier ways, such as seeing who in a said network connects out with recognized signatures.. again, I doubt many would bother.
Spam, viruses, it all revolves around the same problem. The users en-masse are a serious risk on the macro level. Besides, with so many drones around and infected machines - who needs a proxy to be anonymous?
Gadi Evron.
> ..., a-la spamhaus. Bothaus anyone?
The problem with that is the list rapidly updates and must be maintained
with some level of frequency and there's a level of trust involved in it
as well.
i consider www.cymru.com to be an excellent beginning toward that goalset.
Going after the bots is lesser effort. The controllers are a priority.
wide scale BCP38 conformity is the only way any of this will ever happen.
Going after the bots is lesser effort. The controllers are a priority.
wide scale BCP38 conformity is the only way any of this will ever happen.
considering that the bots are not spoofing, just how is this gonna
help?
randy