Interesting Point of view - Russian police and RIPE accused of aiding RBN
noc acrino
noc.akrino at gmail.com
Sun Nov 8 10:27:34 UTC 2009
2009/11/6 Jeffrey Lyon <jeffrey.lyon at blacklotus.net>
> The primary issue is that we receive a fair
> deal of customers who end up with wide scale DDoS attacks followed by
> an offer for "protection" to move to your network. In almost every
> case the attacks cease once the customer has agreed to pay this
> "protection" fee. Every one of these attacks was nearly identical in
> signature.
>
By the way, Jeffrey, we can provide reports on HTTP-flood because our system
builds it's signatures on http traffic dumps like
=== IP: 88.246.76.65, last receiving time: 2009-10-25T23:07:37+03:00, many
identical requests (length 198):
GET / HTTP/1.1
Accept: */*
Accept-language: en-us
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1)
Gecko/20061204 Firefox/2.0.0.1
Host: [censored]
Connection: Keep-Alive
So using this info we can map botnets, learn different attacks and in
collaboration with ISPs - find CCs of new botnets. And what are your
accusations of the identical signatures based on when simple Staminus
resellers (like you are) do not have access to their signatures database?
Kanak
Akrino Abuse Team
More information about the NANOG
mailing list