Destructive botnet originating from California (was Japan)

Sun Dec 25 23:47:14 UTC 2005

I would have sent out a clean list sorted via AS and IP, except I  
have been working from vacation on GPRS via my 1 bar of service on my  
cell phone.  Cleaning up lists is rather painful for me in that  
situation.  I'm pretty sure Rob Thomas cleaned up the list and added  
it to Team Cymru's stuff.

As a side note, I did apply to nsp-sec a while back and I was told to  
do something like download SNORT or join a snort discussion list.  I  
though that was pretty telling, I run into a lot of information daily  
and this was messy enough for me to post to NANOG about it.  I was  
just trying to the the right thing.

If the right thing is to post this information to a more private  
list, then I would do so.  However, I think it has been benificial to  
get this information out to the public where they can actually do  
something about it.  I've been getting emails from a lot of people  
thanking for the posts because they were able to identify a lot of  
messy traffic on their network and put an end to it.  Posting  
information like this to a private list may not have accomplished  
much.  I think the data should most certainly go on the Team Cymru  
list, but why not to a large public form putting in the faces of the  
people that are responsible?

This should be another thread completely, but I am wondering about  
the liability of the individual's who have owned machines that are  
attacking me/my clients.  I'm not a lawyer but I would assume that  
tort liability law could apply and find someone liable for allowing  
their machine to DDoS people.  There is no precedence for this, but  
maybe a few law suits could set one?  I'm not saying I (Prolexic)  
would do this, but if someone sued the owners of the machines in  
civil court and won, maybe that would put a hell of a lot more  
pressure on people that run a dirty network or machine.  It may place  
responsibility on some of these people that say, "we don't care what  
our users do".  Have bots?  Go to court...  I'm really interested on  
comments on this, has anyone tried?

-Barrett

On Dec 25, 2005, at 2:36 PM, Jon Lewis wrote:

> On Sun, 25 Dec 2005, Rubens Kuhl Jr. wrote:
>
>> The first rule of nsp-sec is, you do not talk about nsp-sec
>> The second rule of nsp-sec is, you DO NOT talk about nsp-sec
>
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> There's nothing secret about the existence or purpose of the list.
>
> I don't know enough about Barrett to guess as to whether or not  
> he'd qualify.
>
> Also, I was considering emailing Barrett privately, but since there  
> seems to be so much misinformation going around, others will  
> probably benefit from this.  If you want to send out list of IPs  
> suspected of being bots or really any other class of insecure/0wn3d  
> systems, to make it easier for those who care to find their IPs in  
> your list, run it through the Team Cymru whois server first.
>
> http://www.cymru.com/BGP/whois.html
>
> Then sort the list numerically by ASN.  That way, people can scroll  
> through it, or search by ASN, and quickly determine if there's any  
> further action worth taking.
>
> It's also a really good idea to include timestamps, ideally exact  
> ones in GMT per IP.  In this case (unix bots) it's not as likely,  
> but typical windows bots frequently show up on end-user systems  
> with dynamic IPs. Telling me one of my dial pool IPs was a bot  
> "recently" is not as useful as telling me it was a bot 2005-12-25  
> 02:30:45 GMT.
>
> ----------------------------------------------------------------------
>  Jon Lewis                   |  I route
>  Senior Network Engineer     |  therefore you are
>  Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________