Re: Destructive botnet originating from California (was Japan)
I would have sent out a clean list sorted via AS and IP, except I have been working from vacation on GPRS via my 1 bar of service on my cell phone. Cleaning up lists is rather painful for me in that situation. I'm pretty sure Rob Thomas cleaned up the list and added it to Team Cymru's stuff. As a side note, I did apply to nsp-sec a while back and I was told to do something like download SNORT or join a snort discussion list. I though that was pretty telling, I run into a lot of information daily and this was messy enough for me to post to NANOG about it. I was just trying to the the right thing. If the right thing is to post this information to a more private list, then I would do so. However, I think it has been benificial to get this information out to the public where they can actually do something about it. I've been getting emails from a lot of people thanking for the posts because they were able to identify a lot of messy traffic on their network and put an end to it. Posting information like this to a private list may not have accomplished much. I think the data should most certainly go on the Team Cymru list, but why not to a large public form putting in the faces of the people that are responsible? This should be another thread completely, but I am wondering about the liability of the individual's who have owned machines that are attacking me/my clients. I'm not a lawyer but I would assume that tort liability law could apply and find someone liable for allowing their machine to DDoS people. There is no precedence for this, but maybe a few law suits could set one? I'm not saying I (Prolexic) would do this, but if someone sued the owners of the machines in civil court and won, maybe that would put a hell of a lot more pressure on people that run a dirty network or machine. It may place responsibility on some of these people that say, "we don't care what our users do". Have bots? Go to court... I'm really interested on comments on this, has anyone tried? -Barrett On Dec 25, 2005, at 2:36 PM, Jon Lewis wrote: On Sun, 25 Dec 2005, Rubens Kuhl Jr. wrote: The first rule of nsp-sec is, you do not talk about nsp-sec The second rule of nsp-sec is, you DO NOT talk about nsp-sec https://puck.nether.net/mailman/listinfo/nsp-security There's nothing secret about the existence or purpose of the list. I don't know enough about Barrett to guess as to whether or not he'd qualify. Also, I was considering emailing Barrett privately, but since there seems to be so much misinformation going around, others will probably benefit from this. If you want to send out list of IPs suspected of being bots or really any other class of insecure/0wn3d systems, to make it easier for those who care to find their IPs in your list, run it through the Team Cymru whois server first. http://www.cymru.com/BGP/whois.html Then sort the list numerically by ASN. That way, people can scroll through it, or search by ASN, and quickly determine if there's any further action worth taking. It's also a really good idea to include timestamps, ideally exact ones in GMT per IP. In this case (unix bots) it's not as likely, but typical windows bots frequently show up on end-user systems with dynamic IPs. Telling me one of my dial pool IPs was a bot "recently" is not as useful as telling me it was a bot 2005-12-25 02:30:45 GMT. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Destructive botnet originating from California (was Japan)
Hi, NANOGers. ] I think the data should most certainly go on the Team Cymru list... Just a point of clarification: There is no "Team Cymru list." There are lots of public and private lists, and none of them belong solely to Team Cymru (well, OK, there is bogon-announce, but...). Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
Re: Destructive botnet originating from California (was Japan)
On Sun, 25 Dec 2005, Barrett G. Lyon wrote: I would have sent out a clean list sorted via AS and IP, except I have been working from vacation on GPRS via my 1 bar of service on my cell phone. What's vacation? I gather Prolexic isn't a one man shop. Nobody else had a better internet connection and a few minutes to tidy up the data and make the post? If the right thing is to post this information to a more private list, then I would do so. However, I think it has been benificial to get this information out to the public where they can actually do something about it. I've been I didn't say nanog wasn't a good place to post the info...or that there aren't better places. Just that if you want people to take action based on the data, present it in a more reader-friendly and meaningful format. Also, mixing IPs and PTRs in such a report is not a great idea. I actually did scan through the message looking for any of my prefix's and $work's primary domain name. If there was a PTR for some customer of ours in their own domain, I didn't see it, but I also didn't look for it. Posting data by ASN/IP totally avoids that issue and makes looking for your ASN(s) trivial. getting emails from a lot of people thanking for the posts because they were able to identify a lot of messy traffic on their network and put an end to it. Posting information like this to a private list may not have accomplished much. I don't see a problem with posting it to both or as many appropriate lists as you can find. Nanog is kind of geo-specific though. Other lists might have much broader representation from the entire internet. This should be another thread completely, but I am wondering about the liability of the individual's who have owned machines that are attacking me/my clients. I'm not a lawyer but I would assume that tort liability law could apply and find someone liable for allowing their machine to DDoS people. IANAL either, but if I steal your car and run someone over with it, are you liable? Should you be? Computers are "stolen" or at least commandeered on the internet at an alarming rate because those who do it know that odds are, they won't get caught. And if they are caught, odds are, nothing will happen. And there's apparently considerable profit in the sale of commandeered systems or services provided by them. I doubt you'll get anywhere trying to make an example of someone who's system was hacked or even just "used improperly". I really don't think this problem can be solved by scaring sysadmins or corporations. There will always be security holes. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Destructive botnet originating from California (was Japan)
Title: Re: Destructive botnet originating from California (was Japan) Hows the mitigation going? We can argue semantics at Dallas NANOG. -Original Message- From: Jon Lewis [mailto:[EMAIL PROTECTED]] Sent: Sun Dec 25 22:23:19 2005 To: Barrett G. Lyon Cc: NANOG Subject: Re: Destructive botnet originating from California (was Japan) On Sun, 25 Dec 2005, Barrett G. Lyon wrote: > I would have sent out a clean list sorted via AS and IP, except I have been > working from vacation on GPRS via my 1 bar of service on my cell phone. What's vacation? I gather Prolexic isn't a one man shop. Nobody else had a better internet connection and a few minutes to tidy up the data and make the post? > If the right thing is to post this information to a more private list, then I > would do so. However, I think it has been benificial to get this information > out to the public where they can actually do something about it. I've been I didn't say nanog wasn't a good place to post the info...or that there aren't better places. Just that if you want people to take action based on the data, present it in a more reader-friendly and meaningful format. Also, mixing IPs and PTRs in such a report is not a great idea. I actually did scan through the message looking for any of my prefix's and $work's primary domain name. If there was a PTR for some customer of ours in their own domain, I didn't see it, but I also didn't look for it. Posting data by ASN/IP totally avoids that issue and makes looking for your ASN(s) trivial. > getting emails from a lot of people thanking for the posts because they were > able to identify a lot of messy traffic on their network and put an end to > it. Posting information like this to a private list may not have > accomplished much. I don't see a problem with posting it to both or as many appropriate lists as you can find. Nanog is kind of geo-specific though. Other lists might have much broader representation from the entire internet. > This should be another thread completely, but I am wondering about the > liability of the individual's who have owned machines that are attacking > me/my clients. I'm not a lawyer but I would assume that tort liability law > could apply and find someone liable for allowing their machine to DDoS > people. IANAL either, but if I steal your car and run someone over with it, are you liable? Should you be? Computers are "stolen" or at least commandeered on the internet at an alarming rate because those who do it know that odds are, they won't get caught. And if they are caught, odds are, nothing will happen. And there's apparently considerable profit in the sale of commandeered systems or services provided by them. I doubt you'll get anywhere trying to make an example of someone who's system was hacked or even just "used improperly". I really don't think this problem can be solved by scaring sysadmins or corporations. There will always be security holes. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Destructive botnet originating from California (was Japan)
On Dec 25, 2005, at 7:21 PM, Jon Lewis wrote: On Sun, 25 Dec 2005, Barrett G. Lyon wrote: I would have sent out a clean list sorted via AS and IP, except I have been working from vacation on GPRS via my 1 bar of service on my cell phone. What's vacation? I gather Prolexic isn't a one man shop. Nobody else had a better internet connection and a few minutes to tidy up the data and make the post? There are special considerations that should be taken while posting public data, so I take responsibility for public postings. Our team makes sure everything else is running usual, in the future I would like to formulate an internal policy and structure that helps us correctly post data on public forums without my involvement. IANAL either, but if I steal your car and run someone over with it, are you liable? Should you be? Computers are "stolen" or at least commandeered on the internet at an alarming rate because those who do it know that odds are, they won't get caught. And if they are caught, odds are, nothing will happen. And there's apparently considerable profit in the sale of commandeered systems or services provided by them. I doubt you'll get anywhere trying to make an example of someone who's system was hacked or even just "used improperly". I really don't think this problem can be solved by scaring sysadmins or corporations. There will always be security holes. If they have had notice about the problem and that the problem may damage or cause harm to others then the question is; Did they act as a reasonable service provider? If they failed to act as a reasonable service provider to the compromised machine, then they are negligent. In your car situation, if you know your car has been stolen, or if you have the ability to prevent it, then you could possibly be negligent. If you left a car with the engine running and the keys in it, and you left it in a grammar school playground and your example happens, you are negligent. If we contract an ISP and tell them about a machine that is causing harm, and we provide correct documentation, and they choose to do nothing about it. I would say they are a negligent ISP and could be open for litigation. We have a couple huge bank customers, they refused to use any mitigation methods that involve syn-cookes because of the liability that causes. They were so concerned that a SYN flood would be relayed off a syn-cookie "guard" and be used to attack a competitor as well. Their legal teams refused to take the liability because that case would have had to be settled for a huge sum of money. As a result they looked for solutions that do not use syn-cookes to defend against syn floods. If an ISP knew they could be found negligent then the community that uses Arbor and other techniques to detect inbound attacks may use it to detect and stop outbound attacks as well. I think it would raise the bar of responsibility and responsiveness. Otherwise, we will just sit and bitch about problems until there is a better protocol than the old one we use now. -Barrett
