Re: [botnets] mocbot spam analysis
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 in-line: J. Oquendo wrote: > virendra rode // wrote: >> - --- >> Just curious, are you addressing this via IPs & port(s) ? If so, what >> happens if these IPs are doing port hopping? Are you doing any sort of >> L7 monitoring? What happens if it is a virtual IP? >> >> How you guys doing any bogon filtering? >> >> >> >> regards, >> /virendra > > Me personally, I have zero tolerance for bs. The scenario I described would > be for my own network and probably should not be used in a WAN scenario. > Again I did mention I no longer work at the ISP level nor do I work in > academia land any longer, so my notions don't apply to those types of > industries. However I will give you a better scenario if you do work in > those industries... - --- I'm sorry I somehow missed that. > > Firstly, I again no noone on the planet who should come knocking on those > port doors so my reaction is to block them out. They're infected machines > so I see no reason to allow them anywhere on your network, traversing your > network, heck even wasting a ping on your network. What you could do is > flush your rules every twenty four hours or so, rinse and repeat. I fail > to see your logic in wondering what happens if they can't connect. Maybe > I'm misconstruing your response, but if it is a "well what happens if > they can't connect", good for them. They should take their infested traffic > elsewhere. To be fair, a script to flush your rules would be nice sure. > Me? On my personal network, I don't care if they re-connect or blow up. - -- I try and implement aggressive filters (bogon/flood-blocking/nbar/URPF/anti-spoof, etc.) for my customer networks. Yes it works for the most part but we occasionally run into buffer/congestion issues and this is where qos comes to our rescue. We monitor (proactive approach) our qos policies very closely because they can possibly work against us given certain (white-list) application-level data rate that are in use. regards, /virendra > > > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > J. Oquendo > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 > sil infiltrated . net http://www.infiltrated.net > > "How a man plays the game shows something of his > character - how he loses shows all" - Mr. Luckey > > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE441HpbZvCIJx1bcRAl6PAJ9IQT7cS0wHGsyHGORS6c3xZT2sRwCfV2d8 a2qChnwCQckniYVNZqxLubc= =qFiH -END PGP SIGNATURE- ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mocbot spam analysis
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- virendra rode // wrote: > - --- > Just curious, are you addressing this via IPs & port(s) ? If so, what > happens if these IPs are doing port hopping? Are you doing any sort of > L7 monitoring? What happens if it is a virtual IP? > > How you guys doing any bogon filtering? > > > > regards, > /virendra Me personally, I have zero tolerance for bs. The scenario I described would be for my own network and probably should not be used in a WAN scenario. Again I did mention I no longer work at the ISP level nor do I work in academia land any longer, so my notions don't apply to those types of industries. However I will give you a better scenario if you do work in those industries... Firstly, I again no noone on the planet who should come knocking on those port doors so my reaction is to block them out. They're infected machines so I see no reason to allow them anywhere on your network, traversing your network, heck even wasting a ping on your network. What you could do is flush your rules every twenty four hours or so, rinse and repeat. I fail to see your logic in wondering what happens if they can't connect. Maybe I'm misconstruing your response, but if it is a "well what happens if they can't connect", good for them. They should take their infested traffic elsewhere. To be fair, a script to flush your rules would be nice sure. Me? On my personal network, I don't care if they re-connect or blow up. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil infiltrated . net http://www.infiltrated.net "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mocbot spam analysis
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 in-line: J. Oquendo wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > -- > Gadi Evron wrote: > >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >> -- >> I'd like to quote Joe, for historical purposes: >> >> Obviously there is money being made here - the economics of exploiting >> end-user systems for the purposes of spam has been an established business >> model for at least four years now. > > Perhaps its been longer than that. Maybe its just been noticed within the > past four who knows. > > Anyhow, its surprising that some software vendor hasn't upped the ante here > and begun to block offending IP addresses associated with these C&C's. How > difficult would it be to say create a scripted module that "greps" out the IP > addressing from these bots, and takes that IP address, firewalls it out from > their subnet. > > Eg: > > Supposing my logfiles alert me with an IP and port which looks like: > > 192.168.1.10:18607 > 10.1.20.123:32312 > 120.120.110.110:18607 - --- Just curious, are you addressing this via IPs & port(s) ? If so, what happens if these IPs are doing port hopping? Are you doing any sort of L7 monitoring? What happens if it is a virtual IP? How you guys doing any bogon filtering? regards, /virendra > > awk '/18607/{gsub (/:/," ");print "iptables -A INPUT -p tcp -j DROP -s", $1}' > logfiles|xargs exec > > Or pick your favorite script... Anyhow, I'm sure most understand what I'm > getting to. Sure this only works on networks where ipchains is used, but I > can think of plenty of ways to filter these issues before they infest your > network... > > What I still find strange, and I guess I will be an odd man out is, why > providers are so reluctant to get off their rears and address these issues. > Let's be realistic who on the planet is using port 18607. I know if I was > still in the ISP business and I saw these obscure ass ports, they'd be > filtered. Last thing I need would be some crazy ass code red like worm taking > my network down. It's surprising most engineers (and you lazy bums know who > you are) allow stupidity. I guess the Forest Gump rule applies stupid is as > stupid does. > > Gadi by the way, I know a few years back (I don't know maybe 2 or so around > the SDBot days... Hell I don't even know if you recall) I had intended on > helping with this project (Botnet). Apologies I've been off and on, but I > relocated, etc., etc. If you need anything give a holler. > > > J. Oquendo > sil . infiltrated @ net http://www.infiltrated.net > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 > 26:0608031813:J. Oquendo::fNaE6zH/HDTggYKS:005zLMj > > The happiness of society is the end of government. > John Adams > ___ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE41XDpbZvCIJx1bcRAi8EAJ4gSNoTlRL//uPdNa4RqQA9an+CDwCg4ww1 urQLWfJT9fyjB/3+JMjzhgU= =Jg89 -END PGP SIGNATURE- ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets