Re: Destructive botnet originating from Japan
On Sun, Dec 25, 2005 at 02:06:38AM -0600, Gadi Evron wrote: > > It is difficult to hear something important that one invested much in is > doing harm, but that is the only conclusion I and others can come up with > after years of study, and NSP-SEC, as amazing as it has been, has been of > a negative impact other than to cause a community to form and act > together. Which is amazing by itself and which is why I believe it > can do so much more.. even if it is relatively young it has proven > itself time and time again... I am straying from the subject here. Could have told you that a long time ago. NSP-SEC became useless the day it became so bogged down in its own self-aggrandizing paranoia that no one could possibly be bothered to actually tell anyone outside of the secret handshake club about security issues they've spotted. On the other hand, if you ARE going to sit around pissing and moaning about botnets you are too "sekure" to tell anyone else about, thus assuring they never get fixed, at least it's nice to do it in one secret place so I don't have to hear it. :) -- Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: Destructive botnet originating from Japan
On Sun, 25 Dec 2005, Richard A Steenbergen wrote: > On Sun, Dec 25, 2005 at 02:06:38AM -0600, Gadi Evron wrote: > > > > It is difficult to hear something important that one invested much in is > > doing harm, but that is the only conclusion I and others can come up with > > after years of study, and NSP-SEC, as amazing as it has been, has been of > > a negative impact other than to cause a community to form and act > > together. Which is amazing by itself and which is why I believe it > > can do so much more.. even if it is relatively young it has proven > > itself time and time again... I am straying from the subject here. > > Could have told you that a long time ago. NSP-SEC became useless the day > it became so bogged down in its own self-aggrandizing paranoia that no one > could possibly be bothered to actually tell anyone outside of the secret > handshake club about security issues they've spotted. > > On the other hand, if you ARE going to sit around pissing and moaning > about botnets you are too "sekure" to tell anyone else about, thus > assuring they never get fixed, at least it's nice to do it in one secret > place so I don't have to hear it. :) There is a lot to be said of NSP-SEC which is positive, not much which is negative. I am not sure where we would be today if not for NSP-SEC. Further, I believe that: 1. In today's world secret-handshake clubs for all-white all-rich all-christians are neccesary for our security. 2. Much of what is being kept secret is silly, for the Bad Guys have that information and the Good Guys fight day and night to try and grab a bit of it. In my opinion working with other communities and industries, as long as security can be maintained in a vetted enviroment is critical. That said, it has always been my goal to make public as much data as *possible*. As to NSP-SEC, it is off-topic for this list to discuss NSP-SEC policies and people here should be thankful it is there. NSP-SEC officials can reply if they like, but I doubt they will bother as they as well as the rest of us know what they are worth. As to their arrogance... I believe it is ignorance (!- stupidity) of the harm they cause and I will probably get flamed for saying this as I really hold them in an extremely high regard.. but that is how I and everyone else who has worked on botnets beyond network opeations that I know personally and discussed this with will call it. Gadi
Re: Destructive botnet originating from Japan
Title: Re: Destructive botnet originating from Japan What's nsp-sec? -Original Message- From: Richard A Steenbergen [mailto:[EMAIL PROTECTED]] Sent: Sun Dec 25 04:25:15 2005 To: Gadi Evron Cc: Rob Thomas; NANOG Subject: Re: Destructive botnet originating from Japan On Sun, Dec 25, 2005 at 02:06:38AM -0600, Gadi Evron wrote: > > It is difficult to hear something important that one invested much in is > doing harm, but that is the only conclusion I and others can come up with > after years of study, and NSP-SEC, as amazing as it has been, has been of > a negative impact other than to cause a community to form and act > together. Which is amazing by itself and which is why I believe it > can do so much more.. even if it is relatively young it has proven > itself time and time again... I am straying from the subject here. Could have told you that a long time ago. NSP-SEC became useless the day it became so bogged down in its own self-aggrandizing paranoia that no one could possibly be bothered to actually tell anyone outside of the secret handshake club about security issues they've spotted. On the other hand, if you ARE going to sit around pissing and moaning about botnets you are too "sekure" to tell anyone else about, thus assuring they never get fixed, at least it's nice to do it in one secret place so I don't have to hear it. :) -- Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: Destructive botnet originating from Japan
What's nsp-sec? A bot chasers' list. .. Original Message ... On Sun, 25 Dec 2005 15:03:18 -0500 "Hannigan, Martin" <[EMAIL PROTECTED]> wrote: >What's nsp-sec? > randy ___ sent from a handheld, so even more terse than usual :-)
Re: Destructive botnet originating from Japan
The first rule of nsp-sec is, you do not talk about nsp-sec The second rule of nsp-sec is, you DO NOT talk about nsp-sec Rubens On 12/25/05, Hannigan, Martin <[EMAIL PROTECTED]> wrote: > > > > What's nsp-sec? > > > > -Original Message- > From: Richard A Steenbergen [mailto:[EMAIL PROTECTED] > Sent: Sun Dec 25 04:25:15 2005 > To: Gadi Evron > Cc: Rob Thomas; NANOG > Subject: Re: Destructive botnet originating from Japan > > > On Sun, Dec 25, 2005 at 02:06:38AM -0600, Gadi Evron wrote: > > > > It is difficult to hear something important that one invested much in is > > doing harm, but that is the only conclusion I and others can come up with > > after years of study, and NSP-SEC, as amazing as it has been, has been of > > a negative impact other than to cause a community to form and act > > together. Which is amazing by itself and which is why I believe it > > can do so much more.. even if it is relatively young it has proven > > itself time and time again... I am straying from the subject here. > > Could have told you that a long time ago. NSP-SEC became useless the day > it became so bogged down in its own self-aggrandizing paranoia that no one > could possibly be bothered to actually tell anyone outside of the secret > handshake club about security issues they've spotted. > > On the other hand, if you ARE going to sit around pissing and moaning > about botnets you are too "sekure" to tell anyone else about, thus > assuring they never get fixed, at least it's nice to do it in one secret > place so I don't have to hear it. :) > > -- > Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras > GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) > >
Re: Destructive botnet originating from Japan
On Sun, 25 Dec 2005, Rubens Kuhl Jr. wrote: The first rule of nsp-sec is, you do not talk about nsp-sec The second rule of nsp-sec is, you DO NOT talk about nsp-sec https://puck.nether.net/mailman/listinfo/nsp-security There's nothing secret about the existence or purpose of the list. I don't know enough about Barrett to guess as to whether or not he'd qualify. Also, I was considering emailing Barrett privately, but since there seems to be so much misinformation going around, others will probably benefit from this. If you want to send out list of IPs suspected of being bots or really any other class of insecure/0wn3d systems, to make it easier for those who care to find their IPs in your list, run it through the Team Cymru whois server first. http://www.cymru.com/BGP/whois.html Then sort the list numerically by ASN. That way, people can scroll through it, or search by ASN, and quickly determine if there's any further action worth taking. It's also a really good idea to include timestamps, ideally exact ones in GMT per IP. In this case (unix bots) it's not as likely, but typical windows bots frequently show up on end-user systems with dynamic IPs. Telling me one of my dial pool IPs was a bot "recently" is not as useful as telling me it was a bot 2005-12-25 02:30:45 GMT. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Destructive botnet originating from Japan
Title: Re: Destructive botnet originating from Japan (jon I know you didn't say, but the original must have got nailed in my spam filters) The best thing about this statement is that since I don't report to nanog nsp-sec, or Tyler Durden, the first rule of fight club can kiss my arse. But then again, this really isn't NANOG's business now is it? Or is it? Happy Christmas folks! :) Marty -Original Message- From: Jon Lewis [mailto:[EMAIL PROTECTED]] Sent: Sun Dec 25 17:37:57 2005 To: [EMAIL PROTECTED] Cc: NANOG Subject: Re: Destructive botnet originating from Japan On Sun, 25 Dec 2005, Rubens Kuhl Jr. wrote: > The first rule of nsp-sec is, you do not talk about nsp-sec > The second rule of nsp-sec is, you DO NOT talk about nsp-sec https://puck.nether.net/mailman/listinfo/nsp-security There's nothing secret about the existence or purpose of the list. I don't know enough about Barrett to guess as to whether or not he'd qualify. Also, I was considering emailing Barrett privately, but since there seems to be so much misinformation going around, others will probably benefit from this. If you want to send out list of IPs suspected of being bots or really any other class of insecure/0wn3d systems, to make it easier for those who care to find their IPs in your list, run it through the Team Cymru whois server first. http://www.cymru.com/BGP/whois.html Then sort the list numerically by ASN. That way, people can scroll through it, or search by ASN, and quickly determine if there's any further action worth taking. It's also a really good idea to include timestamps, ideally exact ones in GMT per IP. In this case (unix bots) it's not as likely, but typical windows bots frequently show up on end-user systems with dynamic IPs. Telling me one of my dial pool IPs was a bot "recently" is not as useful as telling me it was a bot 2005-12-25 02:30:45 GMT. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Destructive botnet originating from Japan
Title: Re: Destructive botnet originating from Japan Prolexic qualifies. They do what MCI, ATT, Arbor, and others do regarding ddos mitigation and, IMHO, should be a shoe in. I was... subscribed and we are less valuable to the overall good so you decide (we do have presence ther though). Verisign is not an SP. Critical infra is 'critical' (us) but the attacks come from you guys. Whoever can help. I vote for realism. Marty -Original Message- From: Jon Lewis [mailto:[EMAIL PROTECTED]] Sent: Sun Dec 25 17:37:57 2005 To: [EMAIL PROTECTED] Cc: NANOG Subject: Re: Destructive botnet originating from Japan On Sun, 25 Dec 2005, Rubens Kuhl Jr. wrote: > The first rule of nsp-sec is, you do not talk about nsp-sec > The second rule of nsp-sec is, you DO NOT talk about nsp-sec https://puck.nether.net/mailman/listinfo/nsp-security There's nothing secret about the existence or purpose of the list. I don't know enough about Barrett to guess as to whether or not he'd qualify. Also, I was considering emailing Barrett privately, but since there seems to be so much misinformation going around, others will probably benefit from this. If you want to send out list of IPs suspected of being bots or really any other class of insecure/0wn3d systems, to make it easier for those who care to find their IPs in your list, run it through the Team Cymru whois server first. http://www.cymru.com/BGP/whois.html Then sort the list numerically by ASN. That way, people can scroll through it, or search by ASN, and quickly determine if there's any further action worth taking. It's also a really good idea to include timestamps, ideally exact ones in GMT per IP. In this case (unix bots) it's not as likely, but typical windows bots frequently show up on end-user systems with dynamic IPs. Telling me one of my dial pool IPs was a bot "recently" is not as useful as telling me it was a bot 2005-12-25 02:30:45 GMT. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Destructive botnet originating from Japan (fwd)
Rob, You made a good point on the duration of the attacks, I neglected to notice the attack command was set to 9. One of our engineers logged the bot master issuing the attack command: [EMAIL PROTECTED] PRIVMSG $127.0.0.1 :.dos 9 s| xxx.xxx.xxx.xxx|80 9 is the number of the seconds and its 86400 seconds is 24 hours and slightly over that we saw the bots stop attacking. So they were not running forever, but they did run on their own for about 27 hours. It made our NOC guys happy to see Christmas eve with a clean network. You are also very correct on the force levels, Linux web servers are usually more connected than a cable modem user, so the bandwidth levels are much higher. In the latest round of attack we have seen, the attack rates are growing near the 10 Gig range. The PPS rates are also getting much higher seeing the fragmented UDP attacks getting packet sizes much smaller than a 64-byte SYN packet. What I find shocking is that machines that should be more secured or at least monitored better appear to run for long periods going unnoticed. It seems that some system administrators are just not paying attention to large outbound bursts from their networks. -Barrett
Re: Destructive botnet originating from Japan (fwd)
> What I find shocking is that machines that should be more secured or > at least monitored better appear to run for long periods going > unnoticed. It seems that some system administrators are just not > paying attention to large outbound bursts from their networks. Sadly: s/paying attention/able to detect/ at least in real time, versus when the monthly bandwidth bill comes. Stephen
Re: Destructive botnet originating from Japan (fwd)
The guy rebuilt his botnet last night, you may want to watch flows to AS32787 to find the bots on your network. -Barrett
