Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: anti-spam vs network abuse

  • From: Richard Irving
  • Date: Fri Feb 28 17:47:58 2003

Len Rose wrote:
> Scanning is always a precursor to an attack, or to determine if any obvious
> methodology can be used to attack. At least that's how it has been
> historically viewed.

  See my other post. MAPS assists users in closing their "innocent"
relay capable systems. And, FWIW, pro-active probing -can- provide
a great service to the "less than clueful" end users.


   MR. ISP A, we received over 300mbs from your network last
week, as it participated in a 1500-bot attack of K ROOT SERVER...

  We have determined, via access list, that the following IP's 
appear to be the source of this attack, and we suspect have been 
compromised by the "koo-koo-ka-chooo" worm. 

 We have not confirmed the identity of the worm,
as the attack worm has yet to be identified,  and isolated,

 However, we have found all sources that participated in
this attack had port 6667 and ports 7777 open.

This lead us to hypothesize that it was the "koo-koo-ka-choo"

 Several of these sites are under your Administration....

Attached, please find the list of infected servers....

 Any information regarding this worm, and the servers subsequent
sterilization, would be appreciated.


 The Admininstration of -=Your=- NSP.

> In my opinion there is no legitimate reason to scan a remote host or network
> without the permission of the owners. Otherwise it is in fact excessive
> behaviour.

 See above.

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.