<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>Re: Destructive botnet originating from California (was Japan)</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=2>Hows the mitigation going? We can argue semantics at Dallas NANOG.<BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Jon Lewis [<A HREF="mailto:jlewis@lewis.org">mailto:jlewis@lewis.org</A>]<BR>
Sent: Sun Dec 25 22:23:19 2005<BR>
To: Barrett G. Lyon<BR>
Cc: NANOG<BR>
Subject: Re: Destructive botnet originating from California (was Japan)<BR>
<BR>
<BR>
On Sun, 25 Dec 2005, Barrett G. Lyon wrote:<BR>
<BR>
> I would have sent out a clean list sorted via AS and IP, except I have been<BR>
> working from vacation on GPRS via my 1 bar of service on my cell phone.<BR>
<BR>
What's vacation?<BR>
<BR>
I gather Prolexic isn't a one man shop. Nobody else had a better internet<BR>
connection and a few minutes to tidy up the data and make the post?<BR>
<BR>
> If the right thing is to post this information to a more private list, then I<BR>
> would do so. However, I think it has been benificial to get this information<BR>
> out to the public where they can actually do something about it. I've been<BR>
<BR>
I didn't say nanog wasn't a good place to post the info...or that there<BR>
aren't better places. Just that if you want people to take action based<BR>
on the data, present it in a more reader-friendly and meaningful format.<BR>
Also, mixing IPs and PTRs in such a report is not a great idea. I<BR>
actually did scan through the message looking for any of my prefix's and<BR>
$work's primary domain name. If there was a PTR for some customer of ours<BR>
in their own domain, I didn't see it, but I also didn't look for it.<BR>
Posting data by ASN/IP totally avoids that issue and makes looking for<BR>
your ASN(s) trivial.<BR>
<BR>
> getting emails from a lot of people thanking for the posts because they were<BR>
> able to identify a lot of messy traffic on their network and put an end to<BR>
> it. Posting information like this to a private list may not have<BR>
> accomplished much.<BR>
<BR>
I don't see a problem with posting it to both or as many appropriate lists<BR>
as you can find. Nanog is kind of geo-specific though. Other lists might<BR>
have much broader representation from the entire internet.<BR>
<BR>
> This should be another thread completely, but I am wondering about the<BR>
> liability of the individual's who have owned machines that are attacking<BR>
> me/my clients. I'm not a lawyer but I would assume that tort liability law<BR>
> could apply and find someone liable for allowing their machine to DDoS<BR>
> people.<BR>
<BR>
IANAL either, but if I steal your car and run someone over with it, are<BR>
you liable? Should you be? Computers are "stolen" or at least<BR>
commandeered on the internet at an alarming rate because those who do it<BR>
know that odds are, they won't get caught. And if they are caught, odds<BR>
are, nothing will happen. And there's apparently considerable profit in<BR>
the sale of commandeered systems or services provided by them. I doubt<BR>
you'll get anywhere trying to make an example of someone who's system was<BR>
hacked or even just "used improperly". I really don't think this problem<BR>
can be solved by scaring sysadmins or corporations. There will always be<BR>
security holes.<BR>
<BR>
----------------------------------------------------------------------<BR>
Jon Lewis | I route<BR>
Senior Network Engineer | therefore you are<BR>
Atlantic Net |<BR>
_________ <A HREF="http://www.lewis.org/~jlewis/pgp">http://www.lewis.org/~jlewis/pgp</A> for PGP public key_________<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>