On Thu, Oct 07, 2004 at 04:24:42PM -0400, Mike Tancsa wrote: > > Have you sent email to those edu abuse contacts ? Most of the universities > I have worked with for abuse resolution are generally responsive.
Unfortunately the 'generally responsive' is the best you can hope for. Recently while investigating a customer system that had been rooted (poorly chosen root password) I tracked the psybnc and energymech bots down to a channel on Undernet's IRC network (#The-Hackers), after wiping out about half their bots (with informaiton gleaned from the exploited system) they got upset and decided to attack the host I was IRC'ing from. One provider (Qwest) resolved the issue after 6 hours of ~100mbit coming from a colo customer (big name game company, SLA complicated things) One provider (NetNation.com) said they were aware that the system had been exploited, and was attacking other systems, but that they had not gotten around to doing anything about it. A phone call to the customer paying for the ~50-60mbit/s it was spewing got that resolved very quickly. The third system went offline completely about 5 minutes after it started attacking, I like to believe that it set off an alarm somewhere and someone investigated. Notable points here: a) Some providers are happy to allow their customers systems to push DDoS traffic, it increases their revenue b) IRC is a haven for these people, unfortunately networks like Undernet take it a step further by providing channel services and host hiding so that not only the people behind the DDoS are hidden, but so are the bots themselves. The people running the network fear retaliation too much to do anything about it. c) Everyone I've run across while hunting botnets has been from Thailand, Korea, India, or somewhere nearby. #The-Hackers has their own website complete with valid phone numbers: www.the-hackers.org d) There is no easy solution. -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
