Re: mitigating botnet C&Cs has become useless
[EMAIL PROTECTED] ("Scott Weeks") writes:
> ... I'm just saying that there has to be a better way than police-type
> actions on a global scale. ...
no, there doesn't have to be such a way. where the stakes are in meatspace
(pun unintended), the remediation has to be in meatspace. cyberspace is
just a meatspace overlay, it can only pretend to have different laws when
nothing outside of cyberspace is at stake. i think that the days when
botnets were mostly used for kiddie-on-kiddie violence or even gangster-on-
gangster violence are permanently behind us. it's up to the real LEOs now,
because it's on their turf now, which is to say, it's in the real world now.
as was true of spam when i said this about spam ten years ago, it is true
now of botnets that the only technical solution is "gated communities". but
the internet's culture, which merely mirrors the biases of those who use it,
requires the ability for children to go door to door selling girl scout
cookies, without necessarily having the key code to every one of the doors.
so the internet community has no appetite for the trappings of any technical
solution to botnets. the meatspace community and their LEOs absolutely *do*.
--
Paul Vixie
Re: mitigating botnet C&Cs has become useless
Barry Shein wrote: On August 1, 2006 at 11:50 [EMAIL PROTECTED] (Scott Weeks) wrote: >... > there has to be a technical way to do this, rather > than a diplomatic way as the diplomatic ways historically > have not worked in the other areas mentioned, so they > probably won't work here, either. Or we have to keep > going until one can be contrived. Many good attempts > have been made and there will be more to come until we > hopefully rid ourselves of the sickness others of lower > values force on us daily... I have nothing against technical solutions tho after over ten years of a lot of smart people trying, and a grand prize of probably a billion dollars increase in personal wealth, it doesn't seem forthcoming. Let me try to become Gadi. First of all block port 80 (http) :) Next block port 53 udp (dns). Now you have got rid of amplification attacks because spoofing does no longer work and you have got rid of all those silly users that only know how to click the mouse. Put every client leaking netbios into a sandbox. Dont allow them anything but logon :) However, I do take exception to the assertion that "diplomatic ways historically have not worked in other areas mentioned". I think what you mean is that they haven't worked perfectly, but slipped the semantics a little. Surely you didn't mean to say that all efforts to oppose, e.g., the human slave trade have been in vain? The effectiveness has a lot to do with the profitability making the risk worthwhile (e.g., drug trade), and who the crime appeals to; some poor, desparate people will take risks others won't (e.g., high-seas piracy.) Unfortunately all this reasoning might be edifying but it leads nowhere. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: mitigating botnet C&Cs has become useless
- Original Message Follows - From: "Fergie" <[EMAIL PROTECTED]> > >mentioned haven't worked at all. I'm just saying that > there >has to be a better way than police-type actions on > a global >scale. Also, I'm sure many more smart people > Personally, I think there is wiggle-room between what Gadi > surmises (persoanlly, I think he is playing Devil's > advocate), what everyone else may surmise as an effort > into nothingness, and what Vixie professes (if anyone > bothered to read what he forwarded -- I did, and very much > agree). I read it all carefully. Twice. I'm not taking sides here. Please don't put me in that position. I'm only beating a point to death. Common NANOG futility. You know the deal... :-) > I actually think there is _a_lot_ which can be, and should > be, done. What? That's what I'm trying to find out, but I'm not as smart as most, so I can only point out the things that I believe definitely won't work and why I think that. Hopefully by the application of flame to my butt by smart people for saying what I do will spark some thought toward the goal. > I actually think there is _a_lot_ which can be, and should > be, done. > > Turning a blind eye is unnacceptable, and right now, ISP's > are in the spotlight w.r.t. doing just that: > There is _major_ room for improvement, so I guess the > relevant question becomes: Are people part of the problem > or part of the solution? > > What's the measuring stick? I get a 1984-like mgmtspeak feeling here. I don't know how to respond except with this attempt (in order): what are some suggestions for the major improvement, people are both the problem and the solution (as in everything) and the measuring stick is a noticable decline in the nefarious deeds on the public internet. scott
Re: APC Matrix 5000 question(s)
[EMAIL PROTECTED] wrote:
Update: I replaced the batteries today, and indeed, several of the old
ones (mostly in the first pack) were split and some had popped a couple of
their "sealed" tops.
I left for several hours and came back to the house stinking like burning
rubber. The new batteries are apparently melting the terminal rubber
insulation. I had to throw it back into bypass mode and unplug that pack
(the only one with new batteries!)
Any ideas to the cause? The status screens looked ok. ("no bad batteries"
again)
Tip: Except where a newly supplied battery is faulty, replace all or
none - across all your packs connected to the same UPS.
/ Mat
Re: mitigating botnet C&Cs has become useless
-- "Scott Weeks" <[EMAIL PROTECTED]> wrote: [snip] >Yes, you're correct. I didn't mean to say the things you >mentioned haven't worked at all. I'm just saying that there >has to be a better way than police-type actions on a global >scale. Also, I'm sure many more smart people will work on >it for many more years and others will make billions more >before it's solved. But it needs to be solved on the same >playing field that the ugliness is occurring on. You don't >solve San Diego's slave trade by kicking ass on Indonesia's >pirates. > >Last, you're also correct that this is leading nowhere. I >made my point and have now beat it to death. Thanks for >listening... > >scott > Personally, I think there is wiggle-room between what Gadi surmises (persoanlly, I think he is playing Devil's advocate), what everyone else may surmise as an effort into nothingness, and what Vixie professes (if anyone bothered to read what he forwarded -- I did, and very much agree). I actually think there is _a_lot_ which can be, and should be, done. Turning a blind eye is unnacceptable, and right now, ISP's are in the spotlight w.r.t. doing just that: http://www.zdnet.com.au/news/security/soa/ISPs_accused_of_ignoring_botnet_invasion/0,261744,39257307,00.htm There is _major_ room for improvement, so I guess the relevant question becomes: Are people part of the problem or part of the solution? What's the measuring stick? - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: mitigating botnet C&Cs has become useless
- Original Message Follows - From: Barry Shein <[EMAIL PROTECTED]> > On August 1, 2006 at 11:50 [EMAIL PROTECTED] (Scott > Weeks) wrote: > >... > > there has to be a technical way to do this, rather > > than a diplomatic way as the diplomatic ways > > historically have not worked in the other areas > > mentioned, so they probably won't work here, either. > > Or we have to keep going until one can be contrived. > > Many good attempts have been made and there will be > > more to come until we hopefully rid ourselves of the > > sickness others of lower values force on us daily... > > I have nothing against technical solutions tho after over > ten years of a lot of smart people trying, and a grand > prize of probably a billion dollars increase in personal > wealth, it doesn't seem forthcoming. > > However, I do take exception to the assertion that > "diplomatic ways historically have not worked in other > areas mentioned". > > I think what you mean is that they haven't worked > perfectly, but slipped the semantics a little. Surely you > didn't mean to say that all efforts to oppose, e.g., the > human slave trade have been in vain? > > The effectiveness has a lot to do with the profitability > making the risk worthwhile (e.g., drug trade), and who the > crime appeals to; some poor, desparate people will take > risks others won't (e.g., high-seas piracy.) > > Unfortunately all this reasoning might be edifying but it > leads nowhere. Yes, you're correct. I didn't mean to say the things you mentioned haven't worked at all. I'm just saying that there has to be a better way than police-type actions on a global scale. Also, I'm sure many more smart people will work on it for many more years and others will make billions more before it's solved. But it needs to be solved on the same playing field that the ugliness is occurring on. You don't solve San Diego's slave trade by kicking ass on Indonesia's pirates. Last, you're also correct that this is leading nowhere. I made my point and have now beat it to death. Thanks for listening... scott
Re: mitigating botnet C&Cs has become useless
On August 1, 2006 at 11:50 [EMAIL PROTECTED] (Scott Weeks) wrote: >... > there has to be a technical way to do this, rather > than a diplomatic way as the diplomatic ways historically > have not worked in the other areas mentioned, so they > probably won't work here, either. Or we have to keep > going until one can be contrived. Many good attempts > have been made and there will be more to come until we > hopefully rid ourselves of the sickness others of lower > values force on us daily... I have nothing against technical solutions tho after over ten years of a lot of smart people trying, and a grand prize of probably a billion dollars increase in personal wealth, it doesn't seem forthcoming. However, I do take exception to the assertion that "diplomatic ways historically have not worked in other areas mentioned". I think what you mean is that they haven't worked perfectly, but slipped the semantics a little. Surely you didn't mean to say that all efforts to oppose, e.g., the human slave trade have been in vain? The effectiveness has a lot to do with the profitability making the risk worthwhile (e.g., drug trade), and who the crime appeals to; some poor, desparate people will take risks others won't (e.g., high-seas piracy.) Unfortunately all this reasoning might be edifying but it leads nowhere. -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool & Die| Public Access Internet | SINCE 1989 *oo*
RE: BGP and GLB.
Anycast - it is a widget - not a solution. Go here http://www.nanog.org/subjects.html, look for Anycast, and watch the VODs. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Robert Sherrard > Sent: Tuesday, August 01, 2006 5:54 PM > To: nanog@merit.edu > Subject: BGP and GLB. > > Does anyone know of some good writeup that details using BGP > as a form of global load balancing, between multiple sites. > > Rob > >
BGP and GLB.
Does anyone know of some good writeup that details using BGP as a form of global load balancing, between multiple sites. Rob
[no subject]
unsubscribe -- -- http://www.zeromemory.com - metal for your ears.
Re: APC Matrix 5000 question(s)
--On July 28, 2006 9:33:59 AM -0400 "Robert E.Seastrom" <[EMAIL PROTECTED]>
wrote:
[EMAIL PROTECTED] writes:
I left for several hours and came back to the house stinking like burning
rubber. The new batteries are apparently melting the terminal rubber
insulation. I had to throw it back into bypass mode and unplug that pack
(the only one with new batteries!)
By "terminal rubber insulation" do you mean the insulation on the lugs
that bolt to the terminals on the batteries? If so, this is a sign
that you either didn't clean the contacts or didn't bolt them together
firmly. Those batteries need to be initially charged, and they draw a
lot of current when doing that... which heats up any kind of high
resistance connection in the chain.
Any ideas to the cause? The status screens looked ok. ("no bad
batteries" again)
By the way, you probably ought to replace all the batteries in all
your packs regardless of what the battery status monitor says.
---Rob
Yeah my other thought here was that one or more of the other packs had
totally dead shorted cells, that'd cause excessive heating on the other
batteries too.
Re: mitigating botnet C&Cs has become useless
- Original Message Follows - From: Barry Shein <[EMAIL PROTECTED]> > > That's all fine and dandy until you consider the > > international base of these things. I'd like to see > a meeting at the Massachussets state house probably around > 1998 and being shouted down by this reasoning for a few > minutes. > > Believe it or not spam is not the only internationalized > problem on this planet. There's drug trade, actual > high-seas piracy, slave trade, phone fraud, investment > fraud, and on and on. > > So the usual snappy response is: And look how well we do > with all that! > > Well, yes, you can make the best the enemy of the good. > But there's a logical fallacy involved in trying to > extrapolate that to "so therefore we should do nothing". I did not mean to shout anyone down by saying what I did and trying to extrapolate to 'therefore we should do nothing'. I also did not mean to imply sloppy writing. For sure, it's more my misunderstanding than either of those. Also, it was an interesting article. I only meant that meatspace asskicking probably won't get us very far, especially in light of current intercountry cooperation. Also, wouldn't it just teach them what countries to focus their efforts on similar to the context of the article? I just hope to inject that there has to be a technical way to do this, rather than a diplomatic way as the diplomatic ways historically have not worked in the other areas mentioned, so they probably won't work here, either. Or we have to keep going until one can be contrived. Many good attempts have been made and there will be more to come until we hopefully rid ourselves of the sickness others of lower values force on us daily. scott (quickly putting on flameproof underware... ;)
Re: Detecting parked domains
I have a large list of parked domains how would you like to query it and why do you want to? -rick Sean Donelan wrote: Has anyone come up with a quick method for detecting if a domain name is parked, but is not being used except displaying ads? I'm hoping there is other method besides chasing a list of constantly changing IP addresses being used by the parking advertising companies.
Re: Detecting parked domains
Stephane Bortzmeyer wrote: On Tue, Aug 01, 2006 at 03:35:40PM -0400, Sean Donelan <[EMAIL PROTECTED]> wrote a message of 6 lines which said: Has anyone come up with a quick method for detecting if a domain name is parked, but is not being used except displaying ads? I don't think it is possible: "being parked" cannot be defined in an algorithmic way. My own domain sources.org does not even have a Web site (and I swear it is not parked). Let's try: * Bayesian filtering on the content of the Web page, after suitable training? * Number of different pages on the site (if n == 1 then the domain is parked)? * (Based on the analysis of many sites, not just one) Content of the page "almost" identical to the content of many other pages? (Caveat: the Apache default installation page...) Dont forget there are mail only domains. I used to have one. Now it is used to forward html somehow to my real homepage. ; <<>> DiG 9.1.3 <<>> -t any peter-dambier.de @212.227.123.12 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28472 ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;peter-dambier.de. IN ANY ;; ANSWER SECTION: peter-dambier.de. 86400 IN SOA ns15.schlund.de. hostmaster.schlund.de. 2005050401 28800 7200 604800 86400 peter-dambier.de. 86400 IN NS ns15.schlund.de. peter-dambier.de. 86400 IN NS ns16.schlund.de. peter-dambier.de. 86400 IN MX 10 mx0.gmx.de. peter-dambier.de. 86400 IN MX 10 mx0.gmx.net. peter-dambier.de. 10800 IN A 82.165.62.90 ;; Query time: 63 msec ;; SERVER: 212.227.123.12#53(212.227.123.12) ;; WHEN: Tue Aug 1 22:18:51 2006 ;; MSG SIZE rcvd: 217 Peter und Karin Dambier http://www.peter-dambier.gmxhome.de/"; SCROLLING="AUTO" NAME="bannerframe" NORESIZE> Peter und Karin Dambier http://www.peter-dambier.gmxhome.de/";>http://peter-dambier.de/ -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Detecting parked domains
On Tue, Aug 01, 2006 at 03:35:40PM -0400, Sean Donelan <[EMAIL PROTECTED]> wrote a message of 6 lines which said: > Has anyone come up with a quick method for detecting if a domain > name is parked, but is not being used except displaying ads? I don't think it is possible: "being parked" cannot be defined in an algorithmic way. My own domain sources.org does not even have a Web site (and I swear it is not parked). Let's try: * Bayesian filtering on the content of the Web page, after suitable training? * Number of different pages on the site (if n == 1 then the domain is parked)? * (Based on the analysis of many sites, not just one) Content of the page "almost" identical to the content of many other pages? (Caveat: the Apache default installation page...)
Detecting parked domains
Has anyone come up with a quick method for detecting if a domain name is parked, but is not being used except displaying ads? I'm hoping there is other method besides chasing a list of constantly changing IP addresses being used by the parking advertising companies.
Odd named messages...
Has anyone else seen an increase of the following named errors? Aug 1 01:00:09 morannon /usr/sbin/named[21279]: dispatch 0x4035bd70: shutting down due to TCP receive error: unexpected error Aug 1 01:00:09 morannon /usr/sbin/named[21279]: dispatch 0x4035bd70: shutting down due to TCP receive error: unexpected error .. someone trying some new anti-bind trickery? - d. -- Dominic J. Eidson "Baruk Khazad! Khazad ai-menu!" - Gimli --- http://www.the-infinite.org/
Re: mitigating botnet C&Cs has become useless
Paul Vixie wrote:
[EMAIL PROTECTED] ("Scott Weeks") writes:
From: Paul Vixie <[EMAIL PROTECTED]>
... I'd like to see "...jackbooted [US is implied in the text]
government thugs...kicking in a door somewhere ...
Paul, it is people like you tell us there is still hope in the US :)
There is a nuclear bunker between the shelde rivers in the netherlands.
The facility used to house an XTC lab and the turkish root - and the
police would not dare to kick their doors in because the guys told them
they were an indpendent country and threatened to send bombs upon
Amsterdam :)
And there are other countries in europe were it is a military secret
that they are wearing boots and they are able to kick doors in.
Cheers
Peter and Karin
--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: [EMAIL PROTECTED]
mail: [EMAIL PROTECTED]
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
Re: mitigating botnet C&Cs has become useless
[EMAIL PROTECTED] ("Scott Weeks") writes:
> From: Paul Vixie <[EMAIL PROTECTED]>
>
>
>
> ... I'd like to see "...jackbooted [US is implied in the text]
> government thugs...kicking in a door somewhere ...
i apologize for writing so sloppily that you mistook my meaning in this way.
i am a citizen of the US but i have always recognized that the internet is
a transnational entity. nowhere and in no way did i mean to imply that all
potential kickers in of doors are US LEOs. barry shein understood correctly.
--
Paul Vixie
botnet info
Is there a compiled list of network ranges that are being used as botnets avaialble anywhere that is kept relatively up to date? I've got a few networks within my influence that I'd like to ensure aren't being dirty. Thanks. -- Micheal Patterson
Re: mitigating botnet C&Cs has become useless
On July 31, 2006 at 08:51 [EMAIL PROTECTED] (Scott Weeks) wrote: > > That's all fine and dandy until you consider the > international base of these things. I'd like to see > "...jackbooted [US is implied in the text] government > thugs...kicking in a door somewhere and confiscating every ... This is a common fallacy which goes back to practically day 1 of The Spam Crisis (tm). I remember being invited to a meeting at the Massachussets state house probably around 1998 and being shouted down by this reasoning for a few minutes. Believe it or not spam is not the only internationalized problem on this planet. There's drug trade, actual high-seas piracy, slave trade, phone fraud, investment fraud, and on and on. So the usual snappy response is: And look how well we do with all that! Well, yes, you can make the best the enemy of the good. But there's a logical fallacy involved in trying to extrapolate that to "so therefore we should do nothing". Pressure can be put onto countries which are either spam-friendly or, more likely, spam agnostic (it's just not on their list of priorities.) Spam crime is of only limited value to those countries, one just has to find that value and the right buttons to push. > powered device and every living person in the building" in > China, an African country, Russia, or choice here>. These things span continents and countries > and every time you cutoff the current head, it immediately > spawns another and not always in a country that cares. > > scott -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool & Die| Public Access Internet | SINCE 1989 *oo*
AOL Email Contact me offline please
It is not about spam or being blocked I actually would like to speak with someone about services provided. This is very important as I can not find my answers on the postmasters website. Thank you
Drone Armies C&C Report - 01 Aug 2006
This is a periodic public report from the ISOTF's affiliated group 'DA' (Drone Armies (botnets) research and mitigation mailing list / TISF DA) with the ISOTF affiliated ASreport project (TISF / RatOut). For this report it should be noted that we base our analysis on the data we have accumulated from various sources, which may be incomplete. Any responsible party that wishes to receive reports of botnet command and control servers on their network(s) regularly and directly, feel free to contact us. For purposes of this report we use the following terms openthe host completed the TCP handshake closed No activity detected reset issued a RST This month's survey is of 3639 unique, domains (or IPs) with port suspect C&Cs. This list is extracted from the BBL which has a historical base of 10895 reported C&Cs. Of the suspect C&Cs surveyed, 658 reported as Open, 932 reported as closed, and 570 issued resets to the survey instrument. Of the C&Cs listed by domain name in the our C&C database, 4818 are mitigated. Top 20 ASNes by Total suspect domains mapping to a host in the ASN. These numbers are determined by counting the number of domains which resolve to a host in the ASN. We do not remove duplicates and some of the ASNs reported have many domains mapping to a single IP. Note the Percent_resolved figure is calculated using only the Total and Open counts and does not represent a mitigation effectiveness metric. Percent_ ASN Responsible Party Total OpenResolved 19318 NJIIX-AS-1 - NEW JERSEY INTERN 71 16 77 13301 UNITEDCOLO-AS Autonomous System of 63 29 54 4766 KIXS-AS-KR 41 12 71 23522 CIT-FOONET 39 14 64 4134 CHINANET-BACKBONE 32 15 53 9318 HANARO-AS 27 8 70 8560 SCHLUND-AS 27 6 78 16265 LEASEWEB AS27 19 30 4837 CHINA169-Backbone 25 11 56 3561 Savvis 25 4 84 12832 Lycos Europe 25 5 80 33597 InfoRelay Online Systems, Inc. 24 0100 174 Cogent Communications 23 16 30 7132 SBC Internet Services 23 5 78 30315 Everyones Internet 22 8 64 19166 Alpha Red, INC 22 10 55 4314 IIS-64 I-55 INTERNET SERVICES 21 2 90 13213 UK2NET-AS UK-2 Ltd Autonomous Syste20 0100 30058 FDCSE FDCservers.net LLC 19 6 68 13749 EVRY Everyones Internet19 1 95 Top 20 ASNes by number of active suspect C&Cs. These counts are determined by the number of suspect domains or IPs located within the ASN completed a connection request. Percent_ ASN Responsible Party Total OpenResolved 13301 UNITEDCOLO-AS Autonomous System of 63 29 54 16265 LEASEWEB AS27 19 30 174 Cogent Communications 23 16 30 19318 NJIIX-AS-1 - NEW JERSEY INTERN 71 16 77 4134 CHINANET-BACKBONE 32 15 53 30407 Velcom.com 16 15 6 23522 CIT-FOONET 39 14 64 9316 DACOM-PUBNETPLUS-AS-KR 14 13 7 35908 Krypt Technologies Inc.17 13 24 4766 KIXS-AS-KR 41 12 71 4837 CHINA169-Backbone 25 11 56 19166 Alpha Red, INC 22 10 55 1659 ERX-TANET-ASN1 16 9 44 18942 WEBHO-3 WebHostPlus Inc13 9 31 9318 HANARO-AS 27 8 70 30315 Everyones Internet 22 8 64 25761 STAMIN-2 Staminus Communications 14 8 43 31312 VNL Video Networks Limited 8 7 13 8560 SCHLUND-AS 27 6 78 9911 CONNECTPLUS-AP Singapore Telecom9 6 33 Randal Vaughn Gadi Evron Professor ge at linuxbox.org Baylor University Waco, TX (254) 710 4756 randy_vaughn at baylor.edu
