Re: IRC Bot list (cross posting)
On Wed, 2005-02-09 at 22:04 -0800, Bill Nash wrote: > Moving to a more productive stance for this thread: > How many people have subbed in the past month? The past year? There's > stuff in the FAQ about what's directly relevent to this particular list, > but there are a million related sub-topics with low level chatter that > would overwhelm a single list, like this one. Is there a helpful resource > that references these lists, to give subscribers a better grasp on topic > specific lists that other nanog users deem productive, clue packed and > useful? I don't know how relevant this is to your question, but since it was part of the Subject here it goes: The botlist MUST have been interesting to a sizable number of NANOG'ers. At least 305 people (different IPs) downloaded the version that I posted here last night. -Jim P.
Re: IRC Bot list (cross posting)
[ Edited and resent, the first appears to have vanished in transit ] I concede the point that operational tracking of botnets doesn't belong here, and I offer apologies to Martin, and the list in general, for not counting to ten before replying to his email. However, simply suppressing discussion of the topics isn't a good way to foster a cooperative working environment. I'd like to thank those few folks who corrected me, today. I was wrong in what I felt was appropriate, and I shouldn't have gone off in the manner I did. Moving to a more productive stance for this thread: How many people have subbed in the past month? The past year? There's stuff in the FAQ about what's directly relevent to this particular list, but there are a million related sub-topics with low level chatter that would overwhelm a single list, like this one. Is there a helpful resource that references these lists, to give subscribers a better grasp on topic specific lists that other nanog users deem productive, clue packed and useful? - billn
Re: 72.18.160.0/19 Please Check Filters - BOGON Filtering IP Space 72.0.0.0/8
That's lovely: 72.29.160.0/20 was "lent" to us by ARIN just last week so we're in the same boat. -jr * Bryan Bradsby <[EMAIL PROTECTED]> [20050119 19:28]: > > > > Our NOC is opening a lot of tickets for customers that live on our > > 72.14.128.0/19 network going towards local and federal government sites > > in particular. > > Our customer - Angelo State U was recently assigned IP space > 72.18.160.0/19. They have also seen some issues getting packets to > government and other sites. > > For example, USGS.gov was filtering based on an old bogon list. > > Rob T - this should be a periodic FAQ: > >http://www.cymru.com/Bogons/ -- Josh Richards| Colocation Web Hosting Bandwidth Digital West Networks| +1 805 781-9378 / www.digitalwest.net San Luis Obispo, CA | AS14589 (Production) / AS29962 (R&D) [EMAIL PROTECTED] | DWNI - Making Internet Business Better
Savvis Contact
Can any network engineer from the Savvis network please contact me off-line. Kind Regards, Ken Williams Network Security Engineer Sony Pictures Digital Entertainment
Re: ICANN Engages Independent Evaluation Team to Review .NET Applications
At 5:30 PM + 05/2/9, Fergie (Paul Ferguson) wrote: >I'm surprised to have not heard anyone mention this > >http://www.icann.org/announcements/announcement-07feb05.htm > I'm surprised that SAIC has been given another opportunity to negatively impact the internet. >From http://www.icann.org/announcements/telcordia-disclosure.htm >Telcordia Technologies is a wholly-owned subsidiary of Science >Applications International Corporation (SAIC). >Prior to 2000, SAIC had an ownership interest in Network Solutions, Inc (NSI). Cheers, Darrell
Re: IRC Bot list (cross posting)
> > There's TWO places that are doing this botnet stuff and > > the NANOG AUP discourages cross posting. > > > > I for one certainly don't want yet another list full of > > botnet stuff. > > And I'm not subscribed to either. Yet, I've no less than a /19 of space > under my purview and I don't believe that publishing botnet lists in the > manner that has been done is either off topic, or off charter. i suppose that at some level, the idea of topic-specific mailing lists is just a bad idea and keeps us all in the dark on most topics. wouldn't it be better to just post everything everywhere and make everybody read everything? wait, wait, i have a better idea. if you have a /19 worth of space and... > Some of us, as hosting providers or similiar entities, have network costs > to keep to a minimum. For those of us with security concerns, a heads up > to compromised hosts within our bailiwick will *always* be appreciated. ...you really care about botnet reports, then why not subscribe to nsp-sec@ or da@ where such reports are published all damned day long every day. if you ONLY subscribe to nanog@, you're missing a HUGE number of botnet reports. -- Paul Vixie
Re: IRC Bot list (cross posting)
Why is it a bad idea then? Because not all of us are Bill Nash who won't pwn a user. The same can easily be said for ANY public forum. Yes.
ICANN Engages Independent Evaluation Team to Review .NET Applications
I'm surprised to have not heard anyone mention this http://www.icann.org/announcements/announcement-07feb05.htm - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED]
Re: IRC Bot list (cross posting)
--On Wednesday, February 09, 2005 11:28 +0200 Gadi Evron <[EMAIL PROTECTED]> wrote: Why is it a bad idea then? Because not all of us are Bill Nash who won't pwn a user. The same can easily be said for ANY public forum.
RE: IRC Bot list (cross posting)
On Wed, 9 Feb 2005, Hannigan, Martin wrote: out botnet lists to NANOG, fine by me. I never said I can stop them. I just said I didn't want them as a subscriber. I understand that you don't know where these existing lists are. Look hard. If you suddenly care about bots enough in the last 24 hours to spend all night writing a post about me, you should be able to expend the same energy and find a botnet list to enjoy. My point is simple. There's more people on this list besides you and William. This list should not run by the preference of two vocal people who can't be bothered to skim/trim/ignore threads they aren't interested in. This isn't exactly a high volume list. The percentage of subscribers who actually post is a distinct minority, and from the volume of mail I got last time you and I went around, there's a lot of smaller operators who simply monitor the list for interesting things who may find those kinds of discussions interesting. This thread is already longer than it likely would have been had it simply been recognized as uninteresting signal (but signal nonetheless) and left alone. I'm hardly an icon of self-restraint, but worry about off-topic when it's actually a problem, and stop discouraging people to post entirely. - billn
Re: [unisog] Collecting PTR names rather than IP addresses (Was: Re: IRC Bot list (cross posting))
On Wed, 09 Feb 2005 12:11:16 GMT, Ketil Froyn said: > > > http://www.albany.edu/~ja6447/hacked_bots8.txt > > Isn't it a good idea to collect the IP addresses rather than the ptr > name? For instance, if I were an evil person in control of the ptr > record of my own IP, I could easily make the name something like > 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never > be sure you got the right details! > > Something like this is probably not very widespread (has anyone seen it > in practice?), but I still think that for tracking purposes, ptr records > are useless. IMHO. The kiddies have been doing it for *years* on IRC to make their hostnames show up as various 31337 values on a /who. In fact, if you know what you're doing you don't even need control of the PTR record - many older versions of BIND were incredibly susceptible to DNS cache poisoning. pgpLP6rSMglTF.pgp Description: PGP signature
Re: IRC Bot list (cross posting)
On 02/09/05, Bill Nash <[EMAIL PROTECTED]> wrote: > And I'm not subscribed to either. Yet, I've no less than a /19 of space > under my purview and I don't believe that publishing botnet lists in the > manner that has been done is either off topic, or off charter. Some of us, > as hosting providers or similiar entities, have network costs to keep to a > minimum. For those of us with security concerns, a heads up to > compromised hosts within our bailiwick will *always* be appreciated. That's why you make 24x7 contact info available to your peers. > If you're not going to be part of a productive solution, do us a favor and > stop getting in the way of people actually trying to do something useful. The productive solution is for reporters of badness within your network to contact your NOC directly, rather than posting here in hopes that you're paying attention. -- J.D. Falk uncertainty is only a virtue <[EMAIL PROTECTED]>when you don't know the answer yet
RE: IRC Bot list (cross posting)
> -Original Message- > From: Bill Nash [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 09, 2005 3:31 AM > To: Hannigan, Martin > Cc: [EMAIL PROTECTED] > Subject: RE: IRC Bot list (cross posting) > > > On Wed, 9 Feb 2005, Hannigan, Martin wrote: > [ snip ] > Various persons put forth some amount of effort to, > graciously, give other > operators a heads up to the ongoing/potential abuse of their > networks, and > you're concerned about topical relevance? Why aren't you, in > the least, > THANKING them for their efforts? Maybe it's because these > thousands of > drones are being used to pump out spam across the internet, This is old news, Bill. If anyone wants to sit around and pump out botnet lists to NANOG, fine by me. I never said I can stop them. I just said I didn't want them as a subscriber. I understand that you don't know where these existing lists are. Look hard. If you suddenly care about bots enough in the last 24 hours to spend all night writing a post about me, you should be able to expend the same energy and find a botnet list to enjoy. Gadi probably has already invited you to his list in the last 8 hours. He's good like that. >which may > require (at some point) some form of domain registration at > the end site > pushing whatever product, which at later trickles into > Verisign's coffers? Hmm. A conspiracy theory. What would Kramer do? Uh, plonk? [ snip ]
Re: IRC Bot list (cross posting)
Bill Nash wrote: Various persons put forth some amount of effort to, graciously, give other operators a heads up to the ongoing/potential abuse of their networks, and you're concerned about topical relevance? Why aren't you, Aside to if botnet issues were discussed here, it would flood the list beyond usability - I am all for that. Why is it a bad idea then? Because not all of us are Bill Nash who won't pwn a user. Gadi.
Re: IRC Bot list (cross posting)
Stephen J. Wilcox wrote: Hi, you probably didnt think of this but it might not be a good idea to publish a list of 3000 computers than can be infected/taken over for further nastiness. Collecting that kind of list on any machine on the public internet takes only a day or so, so I don't think posting a list, where some of the IP's change anyway should be considered a security threat. if you can privately send me a list of Ip addresses (no need to sort) i can assist you to distribute this information securely? Pete
