Bellsouth and Redbacks
Just curious if anyone from Bellsouth can comment on why they're changing from existing vendor to Redbacks? Please take it offline. http://www.redback.com/PTE?rbAction=pressoperation=op_onenextPage=pressInfo.jspregionId=1localeId=en-UStableId=1pressId=1014cOrA=C
Williams contact needed
If someone from Williams Communications is around, please contact me off list. Thanks! Greg Schwimer gschwimer at godaddy.com
IRC Bot list (cross posting)
On Tue, 8 Feb 2005, Justin Azoff wrote: I found an irc channel with 3000+ irc bots in it including a few hundred edu's. I have it posted at http://www.albany.edu/~ja6447/hacked_bots8.txt I started to sort them... Maybe I will finish when I get out of work or so. Here is the prettified/sorted list of the above... http://www.infiltrated.net/nanog-list-botlist lynx -dump http://www.infiltrated.net/nanog-list-botlist|grep -i $MYDOMAIN Further sorted http://www.infiltrated.net/nanog-botlist-comcast http://www.infiltrated.net/nanog-botlist-edu http://www.infiltrated.net/nanog-botlist-optonline http://www.infiltrated.net/nanog-botlist-vz http://www.infiltrated.net/nanog-botlist-cox http://www.infiltrated.net/nanog-botlist-mspring http://www.infiltrated.net/nanog-botlist-rr =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x0D99C05C http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0D99C05C sil @ infiltrated . net http://www.infiltrated.net How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey
Re: IRC Bot list (cross posting)
Hi, you probably didnt think of this but it might not be a good idea to publish a list of 3000 computers than can be infected/taken over for further nastiness. if you can privately send me a list of Ip addresses (no need to sort) i can assist you to distribute this information securely? Steve On Tue, 8 Feb 2005, J. Oquendo wrote: On Tue, 8 Feb 2005, Justin Azoff wrote: I found an irc channel with 3000+ irc bots in it including a few hundred edu's. I have it posted at http://www.albany.edu/~ja6447/hacked_bots8.txt I started to sort them... Maybe I will finish when I get out of work or so. Here is the prettified/sorted list of the above... http://www.infiltrated.net/nanog-list-botlist lynx -dump http://www.infiltrated.net/nanog-list-botlist|grep -i $MYDOMAIN Further sorted http://www.infiltrated.net/nanog-botlist-comcast http://www.infiltrated.net/nanog-botlist-edu http://www.infiltrated.net/nanog-botlist-optonline http://www.infiltrated.net/nanog-botlist-vz http://www.infiltrated.net/nanog-botlist-cox http://www.infiltrated.net/nanog-botlist-mspring http://www.infiltrated.net/nanog-botlist-rr =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x0D99C05C http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0D99C05C sil @ infiltrated . net http://www.infiltrated.net How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey
Re: IRC Bot list (cross posting)
Stephen J. Wilcox wrote: Hi, you probably didnt think of this but it might not be a good idea to publish a list of 3000 computers than can be infected/taken over for further nastiness. if you can privately send me a list of Ip addresses (no need to sort) i can assist you to distribute this information securely? I don't reply to posts just to agree in quite a few years now. In this case I feel very strongly about it, though. Me Too! I am sure these 3K users will appreciate getting re-pwned by 20 Bad Guys from nanog. Gadi.
UDP Port 80 Flooding
Anyone seen a rash of UDP port 80 packet floods lately? We found a huge flood of packets from an address in Taiwan flooding into a customer's IP on our LAN yesterday, which pushed traffic counts off the charts. Any idea what might be at the heart of this? -- Vice President of N2Net, a New Age Consulting Service, Inc. Company http://www.n2net.net Where everything clicks into place! KP-216-121-ST
Re: UDP Port 80 Flooding
On Tue, 8 Feb 2005, Greg Boehnlein wrote: Anyone seen a rash of UDP port 80 packet floods lately? We found a huge flood of packets from an address in Taiwan flooding into a customer's IP on our LAN yesterday, which pushed traffic counts off the charts. Any idea what might be at the heart of this? made 'famous' around may-day 2001... Chinese vs US 'hackers', the chinese folks got quite a letter writing campaign going, had all their friends download a 'network testing tool' from foundstone (I think) a little windows app that would allow you to put in: port protocol size (perhaps time) and flood away! :) It was 'great' because you could figure the problem out quickly and filter/rate-limit udp/80 traffic :) Today I imagine it's probably some purpose built code to just pummel out udp traffic, but this is far from 'new' :(
Re: IRC Bot list (cross posting)
On Tue, 2005-02-08 at 20:13 -0500, J. Oquendo wrote: On Tue, 8 Feb 2005, Justin Azoff wrote: I found an irc channel with 3000+ irc bots in it including a few hundred edu's. I have it posted at http://www.albany.edu/~ja6447/hacked_bots8.txt I started to sort them... Maybe I will finish when I get out of work or so. Here is the prettified/sorted list of the above... http://www.infiltrated.net/nanog-list-botlist Here's a different version of the above, host'ed, awk'ed and sorted. NOTE: several of those hostnanes did not resolve, so this list is not an exact duplicate. http://jimpop.net/stuff/nanog-list-botlist-2005-02-08.sorted -Jim P.
Re: IRC Bot list (cross posting)
On Tue, 2005-02-08 at 23:01 -0500, Jim Popovitch wrote: Here's a different version of the above, host'ed, awk'ed and sorted. NOTE: several of those hostnanes did not resolve, so this list is not an exact duplicate. http://jimpop.net/stuff/nanog-list-botlist-2005-02-08.sorted If you grabed this in the past few minutes, you might want to re-grab it. I didn't realize that there were some IP addrs in the original file. I regenerated the list and there are now 3085 IPs in that list. -Jim P.
Re: IRC Bot list (cross posting)
Wasn't there supposed to be special mail list setup for botnet tracking? If so can we please move this thread there and not continue it on main nanog list... -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: IRC Bot list (cross posting)
You don't mass an army if you're not about to use it. This situation can (very quickly) have operational relevance. Bringing it to light to a wider forum than special interest groups is a good idea. You'd certainly care more if it was pointed at you. - billn On Tue, 8 Feb 2005, william(at)elan.net wrote: Wasn't there supposed to be special mail list setup for botnet tracking? If so can we please move this thread there and not continue it on main nanog list...
Re: IRC Bot list (cross posting)
On Tue, 8 Feb 2005, Bill Nash wrote: You don't mass an army if you're not about to use it. 3000 is no longer that large, maybe a brigade but not an army... This situation can (very quickly) have operational relevance. If every botnet investigation is brought up at nanog, the list itself will loose relevence. Bringing it to light to a wider forum than special interest groups is a good idea. Appropriate people already saw the list and will take care. There are also special tools available that will take list of ip addresses and notify appropriate networks, doing it manually and then letting all list know (epsecially nanog which has not only whitehats but number of blackhats) is in itself a security issue as has already been pointed out. --- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: IRC Bot list (cross posting)
: Wasn't there supposed to be special mail list setup for botnet : tracking? : : If so can we please move this thread there and not continue it on main : nanog list... Why worry? It's a done deal... scott
RE: IRC Bot list (cross posting)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bill Nash Sent: Wednesday, February 09, 2005 12:37 AM To: william(at)elan.net Cc: [EMAIL PROTECTED] Subject: Re: IRC Bot list (cross posting) You don't mass an army if you're not about to use it. This situation can (very quickly) have operational relevance. Bringing it to light to a wider forum than special interest groups is a good idea. You'd certainly care more if it was pointed at you. - billn Bill, haven't we been here before? :) There's TWO places that are doing this botnet stuff and the NANOG AUP discourages cross posting. I for one certainly don't want yet another list full of botnet stuff.
RE: IRC Bot list (cross posting)
On Wed, 9 Feb 2005, Hannigan, Martin wrote: Bill, haven't we been here before? :) There's TWO places that are doing this botnet stuff and the NANOG AUP discourages cross posting. I for one certainly don't want yet another list full of botnet stuff. And I'm not subscribed to either. Yet, I've no less than a /19 of space under my purview and I don't believe that publishing botnet lists in the manner that has been done is either off topic, or off charter. Some of us, as hosting providers or similiar entities, have network costs to keep to a minimum. For those of us with security concerns, a heads up to compromised hosts within our bailiwick will *always* be appreciated. Yes, we've been here before. I'm not sure what the view is like from your horse, but I imagine it's very different from mine, since my job security is based on performance, not monopoly backing. This kind of topical suppression is as bad as draconian moderation. In the years I've been subscribed to nanog, I've taken a very simple stance to threads I'm not interested in: I ignored them. I highly suggest you do the same, because frankly, I'm rapidly tiring of your condescension. What exactly is it that makes your viewpoint more important than mine? Based on the simple evidence that you're literate, I'm going to guess that you can read, and delete, an accurately described thread by interpreting the subject line. Various persons put forth some amount of effort to, graciously, give other operators a heads up to the ongoing/potential abuse of their networks, and you're concerned about topical relevance? Why aren't you, in the least, THANKING them for their efforts? Maybe it's because these thousands of drones are being used to pump out spam across the internet, which may require (at some point) some form of domain registration at the end site pushing whatever product, which at later trickles into Verisign's coffers? If you're not going to be part of a productive solution, do us a favor and stop getting in the way of people actually trying to do something useful. - billn