Tools for LARTing large nets of compromised boxen?

Jon Lewis jlewis at lewis.org
Thu Apr 20 13:55:55 UTC 2006


On Thu, 20 Apr 2006, Michael Loftis wrote:

>
> One of our customers is (has been) under concerted attempt at a DDoS attack 
> against their web server off and on for a while.  I've lists of IPs, lots of 
> them, many hundreds.  I'd like to know if anyone has a tool that will take 
> and match these lists of IPs into abuse contacts and fire off a LART to the 
> appropriate RP for the IP, but only one per full set, IE if RP-A has IP 
> A.B.C.D and A.B.C.C he should get one mail clue-batting him for both IPs.

It's not an actual tool for doing the whole job, but you could use "bulk 
mode" on whois.cymru.com to turn your list of IPs [and timestamps?] into a 
a list of "AS | IP | Timestamp | AS Name".  Send a help request to the 
whois.cymru.com whois server for instructions.

Once you have that, you could pretty easily split it by AS#, grab email 
addresses from whois records for the AS#'s, and email each AS#'s data to 
their ASN POCs.

You could also post a URL to the full output from your cymru whois here, 
and someone would likely forward the data to nsp-sec.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________



More information about the NANOG mailing list