Tracking the bad guys

Eric Brunner-Williams brunner at nic-naa.net
Wed Jun 2 11:18:03 UTC 2004


> Eric Brunner-Williams is slightly incorrect

that happens.

> Whois records

if you read my note, the only whois data of interest is the registrar and
the ns providers (and their ns providers). other data of interest originates
from rir public rwhois servers.

> Meanwhile ... the miscreant's IP address ...

this instance was interesting in its unsophistication. from a related
writing:

	The insertion network is is single address [151.42.235.185].
	The subscriber network is is single property [paxil-medication].

	More generally, multiple robo-hosts comprise the insertion network
	(attack side), trailing, but following the same technical trajectory
	as SMTP spam, and multiple URL payloads (benefit side), and commit
	only a few ad inserts in any discrete attack over a larger range of
	targets.

> I'd recommend that Eric check nic-naa.net's whois phone numbers,

that was the one useful item you wrote. core-50 may have a problem, and it
may be the case that the core-srs whois server may have a problem. thanks
for the data point.

incidently, in addition to post-detection persistent blocking, temporal
approaches (interstitical gap management) for a single attack address are
available, and a nanog reader has mentioned an implementation of a baysean
approache in private mail.

eric



More information about the NANOG mailing list