Re: Collecting PTR names or IP addresses (Was: Re: IRC Bot list (cross posting))
PTR records are just as pointless as A records... in a secured DNS heirarchy, this is less of an issue We are not quite there yet, are we? since you have to spoof the entire delegation chain. so either trust the DNS (both forward and reverse) or not. For forensics, collect the DNS lables and the IP addresses associated w/ them. and yes, i have seen DNS spoofing in the wild, both A and PTR, although A spoofing is much more pronounced. Question is, why bother and spoof?
Re: Collecting PTR names or IP addresses (Was: Re: IRC Bot list (cross posting))
Adam Jacob Muller wrote: Not possible with most modern IRCD's since they check forward and reverse dns. So for example if your address is: 1.2.3.4 and that resolves to: 1-2-3-4.dsl.verizon.net the ircd make sure that: 1-2-3-4.dsl.verizon.net resolves back to 1.2.3.4 it's a simple and elegant solution that basically stops spoofing of this nature, on IRC anyway Wrong. On your IRCd. Not on mine. Do I want to run my drone army on your IRCd?
Collecting PTR names or IP addresses (Was: Re: IRC Bot list (cross posting))
http://www.albany.edu/~ja6447/hacked_bots8.txt Isn't it a good idea to collect the IP addresses rather than the ptr name? For instance, if I were an evil person in control of the ptr record of my own IP, I could easily make the name something like 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never be sure you got the right details! Something like this is probably not very widespread (has anyone seen it in practice?), but I still think that for tracking purposes, ptr records are useless. IMHO. Ketil
Re: Collecting PTR names or IP addresses (Was: Re: IRC Bot list (cross posting))
On Fri, Feb 11, 2005 at 03:45:52PM +, Ketil Froyn wrote: http://www.albany.edu/~ja6447/hacked_bots8.txt Isn't it a good idea to collect the IP addresses rather than the ptr name? For instance, if I were an evil person in control of the ptr record of my own IP, I could easily make the name something like 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never be sure you got the right details! Something like this is probably not very widespread (has anyone seen it in practice?), but I still think that for tracking purposes, ptr records are useless. IMHO. Ketil PTR records are just as pointless as A records... in a secured DNS heirarchy, this is less of an issue since you have to spoof the entire delegation chain. so either trust the DNS (both forward and reverse) or not. For forensics, collect the DNS lables and the IP addresses associated w/ them. and yes, i have seen DNS spoofing in the wild, both A and PTR, although A spoofing is much more pronounced. --bill
Re: Collecting PTR names or IP addresses (Was: Re: IRC Bot list (cross posting))
Not possible with most modern IRCD's since they check forward and reverse dns. So for example if your address is: 1.2.3.4 and that resolves to: 1-2-3-4.dsl.verizon.net the ircd make sure that: 1-2-3-4.dsl.verizon.net resolves back to 1.2.3.4 it's a simple and elegant solution that basically stops spoofing of this nature, on IRC anyway Adam On Feb 11, 2005, at 10:45 AM, Ketil Froyn wrote: http://www.albany.edu/~ja6447/hacked_bots8.txt Isn't it a good idea to collect the IP addresses rather than the ptr name? For instance, if I were an evil person in control of the ptr record of my own IP, I could easily make the name something like 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never be sure you got the right details! Something like this is probably not very widespread (has anyone seen it in practice?), but I still think that for tracking purposes, ptr records are useless. IMHO. Ketil !DSPAM:420cd46b173571891151301!
Re: IRC Bot list (cross posting)
On Thu, 10 Feb 2005, Jim Popovitch wrote: I don't know how relevant this is to your question, but since it was part of the Subject here it goes: The botlist MUST have been interesting to a sizable number of NANOG'ers. At least 305 people (different IPs) downloaded the version that I posted here last night. Yes, there are number of good netadmins who want to make sure they don't have one of these bots on their network (and number of bad guys who want to see entire list), but if you consider total number of networks in the world, 305 is not all that many and I doubt most of the bots on that list were killed because people found the list at nanog... However since there was shown enough of the interest from people on nanog@ to help in killing bots and knowing about it, may I suggest that people who are doing the tracking setup the following: 1. Website where person can come and enter ip address block or domain and see number of bots on that network (but not actual ip addresses). 2. After that the person should be able to register (entering full name and contact data and company he/she works) and can than get access to see entire list of ip addresses for particular company (and possibly even do more and mark ips that have been taken care of). 3. Additionally there could be regular post on nanog@ (once/week or once/month depending how much nanog can tolerate) reminding of the website and with summary including total number of botnet ip addresses listed in the database, plus possibly list of 10 networks that have largest number of unhandled bots. So, Gadi, are you taking notes? -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: IRC Bot list (cross posting)
On Thu, Feb 10, 2005 at 12:09:48AM -0800, william(at)elan.net wrote: However since there was shown enough of the interest from people on nanog@ to help in killing bots and knowing about it, may I suggest that people who are doing the tracking setup the following: For the DNSBLs that list things like proxies, most of them also offer to sent notifications to AS or netblock contacts, so if you're interested in that then contact them too. pgpcRdnOI3nE7.pgp Description: PGP signature
Re: IRC Bot list (cross posting)
On 10 Feb 2005, at 10:03, [EMAIL PROTECTED] wrote: On Thu, 10 Feb 2005 00:09:48 PST, william(at)elan.net said: 2. After that the person should be able to register (entering full name and contact data and company he/she works) and can than get access to see entire list of ip addresses for particular company (and possibly even do more and mark ips that have been taken care of). If you're listing IP's, it helps if you also attach a timestamp so those of us with large dialup and DHCP pools have a snowball's chance. (Make note - a taken care of page *also* needs the timestamp so we can check the right one off). And, for those who are not used to troubleshooting incidents with people in distant timezones, specify the timezone somewhere (e.g. all dates/times are UTC, all dates/times are UTC-8). People should also remember that just because it's February 10 in my timezone right now doesn't mean it's not February 11 elsewhere -- so, dates need timezones too, even if no time is specified. Joe
Re: IRC Bot list (cross posting)
Stephen J. Wilcox wrote: Hi, you probably didnt think of this but it might not be a good idea to publish a list of 3000 computers than can be infected/taken over for further nastiness. Collecting that kind of list on any machine on the public internet takes only a day or so, so I don't think posting a list, where some of the IP's change anyway should be considered a security threat. if you can privately send me a list of Ip addresses (no need to sort) i can assist you to distribute this information securely? Pete
Re: IRC Bot list (cross posting)
Bill Nash wrote: Various persons put forth some amount of effort to, graciously, give other operators a heads up to the ongoing/potential abuse of their networks, and you're concerned about topical relevance? Why aren't you, Aside to if botnet issues were discussed here, it would flood the list beyond usability - I am all for that. Why is it a bad idea then? Because not all of us are Bill Nash who won't pwn a user. Gadi.
RE: IRC Bot list (cross posting)
-Original Message- From: Bill Nash [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 3:31 AM To: Hannigan, Martin Cc: [EMAIL PROTECTED] Subject: RE: IRC Bot list (cross posting) On Wed, 9 Feb 2005, Hannigan, Martin wrote: [ snip ] Various persons put forth some amount of effort to, graciously, give other operators a heads up to the ongoing/potential abuse of their networks, and you're concerned about topical relevance? Why aren't you, in the least, THANKING them for their efforts? Maybe it's because these thousands of drones are being used to pump out spam across the internet, This is old news, Bill. If anyone wants to sit around and pump out botnet lists to NANOG, fine by me. I never said I can stop them. I just said I didn't want them as a subscriber. I understand that you don't know where these existing lists are. Look hard. If you suddenly care about bots enough in the last 24 hours to spend all night writing a post about me, you should be able to expend the same energy and find a botnet list to enjoy. Gadi probably has already invited you to his list in the last 8 hours. He's good like that. which may require (at some point) some form of domain registration at the end site pushing whatever product, which at later trickles into Verisign's coffers? scratches head Hmm. A conspiracy theory. What would Kramer do? /scratches head Uh, plonk? [ snip ]
Re: IRC Bot list (cross posting)
On 02/09/05, Bill Nash [EMAIL PROTECTED] wrote: And I'm not subscribed to either. Yet, I've no less than a /19 of space under my purview and I don't believe that publishing botnet lists in the manner that has been done is either off topic, or off charter. Some of us, as hosting providers or similiar entities, have network costs to keep to a minimum. For those of us with security concerns, a heads up to compromised hosts within our bailiwick will *always* be appreciated. That's why you make 24x7 contact info available to your peers. If you're not going to be part of a productive solution, do us a favor and stop getting in the way of people actually trying to do something useful. The productive solution is for reporters of badness within your network to contact your NOC directly, rather than posting here in hopes that you're paying attention. -- J.D. Falk uncertainty is only a virtue [EMAIL PROTECTED]when you don't know the answer yet
Re: [unisog] Collecting PTR names rather than IP addresses (Was: Re: IRC Bot list (cross posting))
On Wed, 09 Feb 2005 12:11:16 GMT, Ketil Froyn said: http://www.albany.edu/~ja6447/hacked_bots8.txt Isn't it a good idea to collect the IP addresses rather than the ptr name? For instance, if I were an evil person in control of the ptr record of my own IP, I could easily make the name something like 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never be sure you got the right details! Something like this is probably not very widespread (has anyone seen it in practice?), but I still think that for tracking purposes, ptr records are useless. IMHO. The kiddies have been doing it for *years* on IRC to make their hostnames show up as various 31337 values on a /who. In fact, if you know what you're doing you don't even need control of the PTR record - many older versions of BIND were incredibly susceptible to DNS cache poisoning. pgpLP6rSMglTF.pgp Description: PGP signature
RE: IRC Bot list (cross posting)
On Wed, 9 Feb 2005, Hannigan, Martin wrote: out botnet lists to NANOG, fine by me. I never said I can stop them. I just said I didn't want them as a subscriber. I understand that you don't know where these existing lists are. Look hard. If you suddenly care about bots enough in the last 24 hours to spend all night writing a post about me, you should be able to expend the same energy and find a botnet list to enjoy. My point is simple. There's more people on this list besides you and William. This list should not run by the preference of two vocal people who can't be bothered to skim/trim/ignore threads they aren't interested in. This isn't exactly a high volume list. The percentage of subscribers who actually post is a distinct minority, and from the volume of mail I got last time you and I went around, there's a lot of smaller operators who simply monitor the list for interesting things who may find those kinds of discussions interesting. This thread is already longer than it likely would have been had it simply been recognized as uninteresting signal (but signal nonetheless) and left alone. I'm hardly an icon of self-restraint, but worry about off-topic when it's actually a problem, and stop discouraging people to post entirely. - billn
Re: IRC Bot list (cross posting)
--On Wednesday, February 09, 2005 11:28 +0200 Gadi Evron [EMAIL PROTECTED] wrote: Why is it a bad idea then? Because not all of us are Bill Nash who won't pwn a user. The same can easily be said for ANY public forum.
Re: IRC Bot list (cross posting)
Why is it a bad idea then? Because not all of us are Bill Nash who won't pwn a user. The same can easily be said for ANY public forum. Yes.
Re: IRC Bot list (cross posting)
There's TWO places that are doing this botnet stuff and the NANOG AUP discourages cross posting. I for one certainly don't want yet another list full of botnet stuff. And I'm not subscribed to either. Yet, I've no less than a /19 of space under my purview and I don't believe that publishing botnet lists in the manner that has been done is either off topic, or off charter. i suppose that at some level, the idea of topic-specific mailing lists is just a bad idea and keeps us all in the dark on most topics. wouldn't it be better to just post everything everywhere and make everybody read everything? wait, wait, i have a better idea. if you have a /19 worth of space and... Some of us, as hosting providers or similiar entities, have network costs to keep to a minimum. For those of us with security concerns, a heads up to compromised hosts within our bailiwick will *always* be appreciated. ...you really care about botnet reports, then why not subscribe to nsp-sec@ or da@ where such reports are published all damned day long every day. if you ONLY subscribe to nanog@, you're missing a HUGE number of botnet reports. -- Paul Vixie
Re: IRC Bot list (cross posting)
[ Edited and resent, the first appears to have vanished in transit ] I concede the point that operational tracking of botnets doesn't belong here, and I offer apologies to Martin, and the list in general, for not counting to ten before replying to his email. However, simply suppressing discussion of the topics isn't a good way to foster a cooperative working environment. I'd like to thank those few folks who corrected me, today. I was wrong in what I felt was appropriate, and I shouldn't have gone off in the manner I did. Moving to a more productive stance for this thread: How many people have subbed in the past month? The past year? There's stuff in the FAQ about what's directly relevent to this particular list, but there are a million related sub-topics with low level chatter that would overwhelm a single list, like this one. Is there a helpful resource that references these lists, to give subscribers a better grasp on topic specific lists that other nanog users deem productive, clue packed and useful? - billn
Re: IRC Bot list (cross posting)
On Wed, 2005-02-09 at 22:04 -0800, Bill Nash wrote: Moving to a more productive stance for this thread: How many people have subbed in the past month? The past year? There's stuff in the FAQ about what's directly relevent to this particular list, but there are a million related sub-topics with low level chatter that would overwhelm a single list, like this one. Is there a helpful resource that references these lists, to give subscribers a better grasp on topic specific lists that other nanog users deem productive, clue packed and useful? I don't know how relevant this is to your question, but since it was part of the Subject here it goes: The botlist MUST have been interesting to a sizable number of NANOG'ers. At least 305 people (different IPs) downloaded the version that I posted here last night. -Jim P.
Re: IRC Bot list (cross posting)
Hi, you probably didnt think of this but it might not be a good idea to publish a list of 3000 computers than can be infected/taken over for further nastiness. if you can privately send me a list of Ip addresses (no need to sort) i can assist you to distribute this information securely? Steve On Tue, 8 Feb 2005, J. Oquendo wrote: On Tue, 8 Feb 2005, Justin Azoff wrote: I found an irc channel with 3000+ irc bots in it including a few hundred edu's. I have it posted at http://www.albany.edu/~ja6447/hacked_bots8.txt I started to sort them... Maybe I will finish when I get out of work or so. Here is the prettified/sorted list of the above... http://www.infiltrated.net/nanog-list-botlist lynx -dump http://www.infiltrated.net/nanog-list-botlist|grep -i $MYDOMAIN Further sorted http://www.infiltrated.net/nanog-botlist-comcast http://www.infiltrated.net/nanog-botlist-edu http://www.infiltrated.net/nanog-botlist-optonline http://www.infiltrated.net/nanog-botlist-vz http://www.infiltrated.net/nanog-botlist-cox http://www.infiltrated.net/nanog-botlist-mspring http://www.infiltrated.net/nanog-botlist-rr =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x0D99C05C http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0D99C05C sil @ infiltrated . net http://www.infiltrated.net How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey
Re: IRC Bot list (cross posting)
Stephen J. Wilcox wrote: Hi, you probably didnt think of this but it might not be a good idea to publish a list of 3000 computers than can be infected/taken over for further nastiness. if you can privately send me a list of Ip addresses (no need to sort) i can assist you to distribute this information securely? I don't reply to posts just to agree in quite a few years now. In this case I feel very strongly about it, though. Me Too! I am sure these 3K users will appreciate getting re-pwned by 20 Bad Guys from nanog. Gadi.
Re: IRC Bot list (cross posting)
On Tue, 2005-02-08 at 20:13 -0500, J. Oquendo wrote: On Tue, 8 Feb 2005, Justin Azoff wrote: I found an irc channel with 3000+ irc bots in it including a few hundred edu's. I have it posted at http://www.albany.edu/~ja6447/hacked_bots8.txt I started to sort them... Maybe I will finish when I get out of work or so. Here is the prettified/sorted list of the above... http://www.infiltrated.net/nanog-list-botlist Here's a different version of the above, host'ed, awk'ed and sorted. NOTE: several of those hostnanes did not resolve, so this list is not an exact duplicate. http://jimpop.net/stuff/nanog-list-botlist-2005-02-08.sorted -Jim P.
Re: IRC Bot list (cross posting)
On Tue, 2005-02-08 at 23:01 -0500, Jim Popovitch wrote: Here's a different version of the above, host'ed, awk'ed and sorted. NOTE: several of those hostnanes did not resolve, so this list is not an exact duplicate. http://jimpop.net/stuff/nanog-list-botlist-2005-02-08.sorted If you grabed this in the past few minutes, you might want to re-grab it. I didn't realize that there were some IP addrs in the original file. I regenerated the list and there are now 3085 IPs in that list. -Jim P.
Re: IRC Bot list (cross posting)
Wasn't there supposed to be special mail list setup for botnet tracking? If so can we please move this thread there and not continue it on main nanog list... -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: IRC Bot list (cross posting)
You don't mass an army if you're not about to use it. This situation can (very quickly) have operational relevance. Bringing it to light to a wider forum than special interest groups is a good idea. You'd certainly care more if it was pointed at you. - billn On Tue, 8 Feb 2005, william(at)elan.net wrote: Wasn't there supposed to be special mail list setup for botnet tracking? If so can we please move this thread there and not continue it on main nanog list...
Re: IRC Bot list (cross posting)
On Tue, 8 Feb 2005, Bill Nash wrote: You don't mass an army if you're not about to use it. 3000 is no longer that large, maybe a brigade but not an army... This situation can (very quickly) have operational relevance. If every botnet investigation is brought up at nanog, the list itself will loose relevence. Bringing it to light to a wider forum than special interest groups is a good idea. Appropriate people already saw the list and will take care. There are also special tools available that will take list of ip addresses and notify appropriate networks, doing it manually and then letting all list know (epsecially nanog which has not only whitehats but number of blackhats) is in itself a security issue as has already been pointed out. --- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: IRC Bot list (cross posting)
: Wasn't there supposed to be special mail list setup for botnet : tracking? : : If so can we please move this thread there and not continue it on main : nanog list... Why worry? It's a done deal... scott
RE: IRC Bot list (cross posting)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bill Nash Sent: Wednesday, February 09, 2005 12:37 AM To: william(at)elan.net Cc: [EMAIL PROTECTED] Subject: Re: IRC Bot list (cross posting) You don't mass an army if you're not about to use it. This situation can (very quickly) have operational relevance. Bringing it to light to a wider forum than special interest groups is a good idea. You'd certainly care more if it was pointed at you. - billn Bill, haven't we been here before? :) There's TWO places that are doing this botnet stuff and the NANOG AUP discourages cross posting. I for one certainly don't want yet another list full of botnet stuff.
RE: IRC Bot list (cross posting)
On Wed, 9 Feb 2005, Hannigan, Martin wrote: Bill, haven't we been here before? :) There's TWO places that are doing this botnet stuff and the NANOG AUP discourages cross posting. I for one certainly don't want yet another list full of botnet stuff. And I'm not subscribed to either. Yet, I've no less than a /19 of space under my purview and I don't believe that publishing botnet lists in the manner that has been done is either off topic, or off charter. Some of us, as hosting providers or similiar entities, have network costs to keep to a minimum. For those of us with security concerns, a heads up to compromised hosts within our bailiwick will *always* be appreciated. Yes, we've been here before. I'm not sure what the view is like from your horse, but I imagine it's very different from mine, since my job security is based on performance, not monopoly backing. This kind of topical suppression is as bad as draconian moderation. In the years I've been subscribed to nanog, I've taken a very simple stance to threads I'm not interested in: I ignored them. I highly suggest you do the same, because frankly, I'm rapidly tiring of your condescension. What exactly is it that makes your viewpoint more important than mine? Based on the simple evidence that you're literate, I'm going to guess that you can read, and delete, an accurately described thread by interpreting the subject line. Various persons put forth some amount of effort to, graciously, give other operators a heads up to the ongoing/potential abuse of their networks, and you're concerned about topical relevance? Why aren't you, in the least, THANKING them for their efforts? Maybe it's because these thousands of drones are being used to pump out spam across the internet, which may require (at some point) some form of domain registration at the end site pushing whatever product, which at later trickles into Verisign's coffers? If you're not going to be part of a productive solution, do us a favor and stop getting in the way of people actually trying to do something useful. - billn
