Re: [botnets] mocbot spam analysis
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 in-line: J. Oquendo wrote: > virendra rode // wrote: >> - --- >> Just curious, are you addressing this via IPs & port(s) ? If so, what >> happens if these IPs are doing port hopping? Are you doing any sort of >> L7 monitoring? What happens if it is a virtual IP? >> >> How you guys doing any bogon filtering? >> >> >> >> regards, >> /virendra > > Me personally, I have zero tolerance for bs. The scenario I described would > be for my own network and probably should not be used in a WAN scenario. > Again I did mention I no longer work at the ISP level nor do I work in > academia land any longer, so my notions don't apply to those types of > industries. However I will give you a better scenario if you do work in > those industries... - --- I'm sorry I somehow missed that. > > Firstly, I again no noone on the planet who should come knocking on those > port doors so my reaction is to block them out. They're infected machines > so I see no reason to allow them anywhere on your network, traversing your > network, heck even wasting a ping on your network. What you could do is > flush your rules every twenty four hours or so, rinse and repeat. I fail > to see your logic in wondering what happens if they can't connect. Maybe > I'm misconstruing your response, but if it is a "well what happens if > they can't connect", good for them. They should take their infested traffic > elsewhere. To be fair, a script to flush your rules would be nice sure. > Me? On my personal network, I don't care if they re-connect or blow up. - -- I try and implement aggressive filters (bogon/flood-blocking/nbar/URPF/anti-spoof, etc.) for my customer networks. Yes it works for the most part but we occasionally run into buffer/congestion issues and this is where qos comes to our rescue. We monitor (proactive approach) our qos policies very closely because they can possibly work against us given certain (white-list) application-level data rate that are in use. regards, /virendra > > > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > J. Oquendo > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 > sil infiltrated . net http://www.infiltrated.net > > "How a man plays the game shows something of his > character - how he loses shows all" - Mr. Luckey > > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE441HpbZvCIJx1bcRAl6PAJ9IQT7cS0wHGsyHGORS6c3xZT2sRwCfV2d8 a2qChnwCQckniYVNZqxLubc= =qFiH -END PGP SIGNATURE- ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mocbot spam analysis
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- virendra rode // wrote: > - --- > Just curious, are you addressing this via IPs & port(s) ? If so, what > happens if these IPs are doing port hopping? Are you doing any sort of > L7 monitoring? What happens if it is a virtual IP? > > How you guys doing any bogon filtering? > > > > regards, > /virendra Me personally, I have zero tolerance for bs. The scenario I described would be for my own network and probably should not be used in a WAN scenario. Again I did mention I no longer work at the ISP level nor do I work in academia land any longer, so my notions don't apply to those types of industries. However I will give you a better scenario if you do work in those industries... Firstly, I again no noone on the planet who should come knocking on those port doors so my reaction is to block them out. They're infected machines so I see no reason to allow them anywhere on your network, traversing your network, heck even wasting a ping on your network. What you could do is flush your rules every twenty four hours or so, rinse and repeat. I fail to see your logic in wondering what happens if they can't connect. Maybe I'm misconstruing your response, but if it is a "well what happens if they can't connect", good for them. They should take their infested traffic elsewhere. To be fair, a script to flush your rules would be nice sure. Me? On my personal network, I don't care if they re-connect or blow up. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil infiltrated . net http://www.infiltrated.net "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mocbot spam analysis
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
in-line:
J. Oquendo wrote:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> --
> Gadi Evron wrote:
>
>> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
>> --
>> I'd like to quote Joe, for historical purposes:
>>
>> Obviously there is money being made here - the economics of exploiting
>> end-user systems for the purposes of spam has been an established business
>> model for at least four years now.
>
> Perhaps its been longer than that. Maybe its just been noticed within the
> past four who knows.
>
> Anyhow, its surprising that some software vendor hasn't upped the ante here
> and begun to block offending IP addresses associated with these C&C's. How
> difficult would it be to say create a scripted module that "greps" out the IP
> addressing from these bots, and takes that IP address, firewalls it out from
> their subnet.
>
> Eg:
>
> Supposing my logfiles alert me with an IP and port which looks like:
>
> 192.168.1.10:18607
> 10.1.20.123:32312
> 120.120.110.110:18607
- ---
Just curious, are you addressing this via IPs & port(s) ? If so, what
happens if these IPs are doing port hopping? Are you doing any sort of
L7 monitoring? What happens if it is a virtual IP?
How you guys doing any bogon filtering?
regards,
/virendra
>
> awk '/18607/{gsub (/:/," ");print "iptables -A INPUT -p tcp -j DROP -s", $1}'
> logfiles|xargs exec
>
> Or pick your favorite script... Anyhow, I'm sure most understand what I'm
> getting to. Sure this only works on networks where ipchains is used, but I
> can think of plenty of ways to filter these issues before they infest your
> network...
>
> What I still find strange, and I guess I will be an odd man out is, why
> providers are so reluctant to get off their rears and address these issues.
> Let's be realistic who on the planet is using port 18607. I know if I was
> still in the ISP business and I saw these obscure ass ports, they'd be
> filtered. Last thing I need would be some crazy ass code red like worm taking
> my network down. It's surprising most engineers (and you lazy bums know who
> you are) allow stupidity. I guess the Forest Gump rule applies stupid is as
> stupid does.
>
> Gadi by the way, I know a few years back (I don't know maybe 2 or so around
> the SDBot days... Hell I don't even know if you recall) I had intended on
> helping with this project (Botnet). Apologies I've been off and on, but I
> relocated, etc., etc. If you need anything give a holler.
>
>
> J. Oquendo
> sil . infiltrated @ net http://www.infiltrated.net
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
> 26:0608031813:J. Oquendo::fNaE6zH/HDTggYKS:005zLMj
>
> The happiness of society is the end of government.
> John Adams
> ___
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> All list and server information are public and available to law enforcement
> upon request.
> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
>
>
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE41XDpbZvCIJx1bcRAi8EAJ4gSNoTlRL//uPdNa4RqQA9an+CDwCg4ww1
urQLWfJT9fyjB/3+JMjzhgU=
=Jg89
-END PGP SIGNATURE-
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
