Destructive botnet originating from California (was Japan)

Jon Lewis jlewis at lewis.org
Mon Dec 26 03:21:11 UTC 2005


On Sun, 25 Dec 2005, Barrett G. Lyon wrote:

> I would have sent out a clean list sorted via AS and IP, except I have been 
> working from vacation on GPRS via my 1 bar of service on my cell phone.

What's vacation?

I gather Prolexic isn't a one man shop.  Nobody else had a better internet 
connection and a few minutes to tidy up the data and make the post?

> If the right thing is to post this information to a more private list, then I 
> would do so.  However, I think it has been benificial to get this information 
> out to the public where they can actually do something about it.  I've been

I didn't say nanog wasn't a good place to post the info...or that there 
aren't better places.  Just that if you want people to take action based 
on the data, present it in a more reader-friendly and meaningful format. 
Also, mixing IPs and PTRs in such a report is not a great idea.  I 
actually did scan through the message looking for any of my prefix's and 
$work's primary domain name.  If there was a PTR for some customer of ours 
in their own domain, I didn't see it, but I also didn't look for it. 
Posting data by ASN/IP totally avoids that issue and makes looking for 
your ASN(s) trivial.

> getting emails from a lot of people thanking for the posts because they were 
> able to identify a lot of messy traffic on their network and put an end to 
> it.  Posting information like this to a private list may not have 
> accomplished much.

I don't see a problem with posting it to both or as many appropriate lists 
as you can find.  Nanog is kind of geo-specific though.  Other lists might 
have much broader representation from the entire internet.

> This should be another thread completely, but I am wondering about the 
> liability of the individual's who have owned machines that are attacking 
> me/my clients.  I'm not a lawyer but I would assume that tort liability law 
> could apply and find someone liable for allowing their machine to DDoS 
> people.

IANAL either, but if I steal your car and run someone over with it, are 
you liable?  Should you be?  Computers are "stolen" or at least 
commandeered on the internet at an alarming rate because those who do it 
know that odds are, they won't get caught.  And if they are caught, odds 
are, nothing will happen.  And there's apparently considerable profit in 
the sale of commandeered systems or services provided by them.  I doubt 
you'll get anywhere trying to make an example of someone who's system was 
hacked or even just "used improperly".  I really don't think this problem 
can be solved by scaring sysadmins or corporations.  There will always be 
security holes.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________



More information about the NANOG mailing list