short Botnet list and Cashing in on DoS
Matthew S. Hallacy
poptix at poptix.net
Fri Oct 8 00:48:39 UTC 2004
On Thu, Oct 07, 2004 at 04:24:42PM -0400, Mike Tancsa wrote:
> Have you sent email to those edu abuse contacts ? Most of the universities
> I have worked with for abuse resolution are generally responsive.
Unfortunately the 'generally responsive' is the best you can hope for.
Recently while investigating a customer system that had been rooted (poorly
chosen root password) I tracked the psybnc and energymech bots down to a
channel on Undernet's IRC network (#The-Hackers), after wiping out about
half their bots (with informaiton gleaned from the exploited system) they
got upset and decided to attack the host I was IRC'ing from.
One provider (Qwest) resolved the issue after 6 hours of ~100mbit coming
from a colo customer (big name game company, SLA complicated things)
One provider (NetNation.com) said they were aware that the system had been
exploited, and was attacking other systems, but that they had not gotten
around to doing anything about it. A phone call to the customer paying for
the ~50-60mbit/s it was spewing got that resolved very quickly.
The third system went offline completely about 5 minutes after it started
attacking, I like to believe that it set off an alarm somewhere and someone
Notable points here:
a) Some providers are happy to allow their customers systems to push DDoS
traffic, it increases their revenue
b) IRC is a haven for these people, unfortunately networks like Undernet
take it a step further by providing channel services and host hiding so
that not only the people behind the DDoS are hidden, but so are the bots
themselves. The people running the network fear retaliation too much to
do anything about it.
c) Everyone I've run across while hunting botnets has been from Thailand,
Korea, India, or somewhere nearby. #The-Hackers has their own website
complete with valid phone numbers: www.the-hackers.org
d) There is no easy solution.
Matthew S. Hallacy FUBAR, LART, BOFH Certified
http://www.poptix.net GPG public key 0x01938203
More information about the NANOG