short Botnet list and Cashing in on DoS

Paul Vixie paul at vix.com
Sun Oct 10 03:12:40 UTC 2004 

someone who wished to remain publically unnamed answered me by saying:

> I got chastized a little while ago, too, for a single post, and told that
> it was my THIRD warning (having not received any at all before). Feh.

i can't think of anyone among all nanog posters since the beginning of time
who has not deserved to be smacked around at least once by our erstwhile
moderator for saying something on a dead thread or speaking offtopically.

i'm up to two warnings, and i think it's a lifetime quota not subject to
annual resets (in other words it's three, ever, not three in the last year).
it's really improved my thought processes.  if i weren't about to say
something operationally relevant, i'd already have deleted this without
sending it.  quality control for crowds is hard; for engineers, also hard;
for crowds of engineers, i can't imagine a way it can be accomplished, yet
here we all are.

so, i'd written:

> > 2. Filter aggressively.  Run a dark-net, and if one of your customers...
>                                  ^^^^^^^^

my nameless friend then asked me:

> this sounds intrigueing, but I'm not sure what it is. Is is sort of an
> internal honeypot NETWORK?

it goes by several names.  network telescope, darknet, etc.  i called it
a darknet above only because rob thomas calls it that, and he'd recently
given a talk at the dns-oarc members meeting on this precise topic.
yes, it's like a honeypot in some ways (but robt probably winced just
now, as he read me saying that.) most of rob's talk is echoed by his web
site <http://www.cymru.com/Darknet/index.html>, which is a good read.

my own "darknet"-like project is wired up to a database that can answer
questions like "what are the worst 25 sources of undesireable smtp since
the last time i reset the database?"  today's answer is:

smtpk=> select * from top25_bysrc;
       src       | howmany |       earliest       |        latest        
-----------------+---------+----------------------+----------------------
 61.73.48.141    |   47650 | 03-AUG-2004 08:44:23 | 09-AUG-2004 22:03:55
 61.73.49.56     |   39435 | 01-AUG-2004 18:53:03 | 02-AUG-2004 21:10:34
 61.73.48.63     |   26938 | 21-JUL-2004 11:52:11 | 21-JUL-2004 12:12:39
 210.244.26.120  |   17057 | 27-MAY-2004 04:42:33 | 27-MAY-2004 07:59:56
 211.74.62.25    |   12674 | 26-MAY-2004 14:43:47 | 26-MAY-2004 15:31:58
 61.73.20.220    |   12092 | 30-JUL-2004 13:43:55 | 31-JUL-2004 07:19:54
 220.116.198.64  |    9576 | 05-AUG-2004 15:49:08 | 07-AUG-2004 00:01:31
 61.73.49.21     |    9206 | 03-AUG-2004 19:57:01 | 04-AUG-2004 19:32:54
 210.68.127.235  |    8367 | 26-MAY-2004 15:32:27 | 26-MAY-2004 16:47:56
 222.101.168.37  |    8098 | 05-JUL-2004 03:55:37 | 31-JUL-2004 07:13:08
 211.218.2.20    |    6410 | 06-AUG-2004 18:25:05 | 06-AUG-2004 18:51:45
 222.117.215.23  |    5698 | 14-JUL-2004 03:56:23 | 18-JUL-2004 05:46:06
 61.73.96.158    |    5516 | 06-AUG-2004 20:10:57 | 06-AUG-2004 20:27:48
 220.116.197.49  |    5314 | 02-AUG-2004 15:10:37 | 02-AUG-2004 15:19:10
 222.101.168.33  |    5066 | 22-JUN-2004 02:00:29 | 16-JUL-2004 13:11:30
 211.218.3.167   |    4318 | 30-JUL-2004 12:36:05 | 30-JUL-2004 12:39:07
 220.116.196.199 |    4301 | 04-AUG-2004 12:53:26 | 04-AUG-2004 16:23:08
 222.117.216.15  |    4072 | 19-JUN-2004 14:16:52 | 22-JUN-2004 13:54:15
 61.38.47.221    |    3777 | 04-JUL-2004 14:52:32 | 04-JUL-2004 21:49:40
 211.218.5.224   |    3706 | 23-JUL-2004 12:22:55 | 23-JUL-2004 12:25:30
 222.117.215.192 |    3624 | 15-JUN-2004 09:55:21 | 15-JUN-2004 14:33:42
 222.117.216.112 |    3454 | 20-JUN-2004 19:24:13 | 21-JUN-2004 04:51:15
 222.117.215.186 |    3418 | 18-JUN-2004 00:53:58 | 18-JUN-2004 20:46:21
 211.218.2.125   |    3387 | 05-AUG-2004 09:28:24 | 05-AUG-2004 20:06:48
 218.8.231.25    |    2996 | 16-AUG-2003 03:13:05 | 16-AUG-2003 21:28:31
(25 rows)

caida's "network telescope" is also quite interesting.  i see some 2001 work
located at <http://www.caida.org/outreach/papers/2001/BackScatter/>.  see
also <http://www.nanog.org/mtg-0110/greene.html>.

running an smtp listener in "darkspace" and wiring it to dynamic dns has
resulted in a private-only dynamic blackhole list that now stops more spam
than any other single public list i subscribe to... and some days more than
all of them combined.

(so you see, the venture capitalists and politicians were right after
all -- there's all kinds of useful information out there, and great
advantages available to anyone who can aggregate it in paranormal ways.
but i digress.)

More information about the NANOG mailing list