Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: botnet reporting by AS - what about you?

  • From: Hannigan, Martin
  • Date: Sat Aug 13 00:09:15 2005

Title: Re: botnet reporting by AS - what about you?

I was on it and unsubscribed. They wouldn't disclose the collection or validation process at that time. This made it useless for the most part as its hard to act on someones word without some idea of how they are getting their data and avoiding collateral damage.

I'm not saying there aren't valid zombies on it, but my criteria for a list that identifies rogues includes trust. I have lists I felt were more trustworthy than DA.

Things may have changed.

Martin



 -----Original Message-----
From:   Christopher L. Morrow [mailto:christopher.morrow@mci.com]
Sent:   Fri Aug 12 23:56:53 2005
To:     Fergie (Paul Ferguson)
Cc:     nanog@merit.edu
Subject:        Re: botnet reporting by AS - what about you?




On Sat, 13 Aug 2005, Fergie (Paul Ferguson) wrote:

> Chris,
>
> I can assure you that the Drone Army project is not run that
> way, and is quite useful, effective, etc.
>
> The folks behind the DA Project are certainly professionals...
> ...and the infromation is quite useable, parse-able, and genuine.

cool, among the 800k+ complaints we see a month (yes, 800k) there are
quite a few completely useless ones :( Anything sent in as a complaint has
to have complete and useful information, else it's hard/impossible to
action properly.

It'd help if the format it was sent in was also machine parseable :) With
800k+ complaints/month I'm not sure people want to spend time figuring
each one out, a script/machine should be doing as much as possible.

>
> - ferg
>
> -- "Christopher L. Morrow" <christopher.morrow@mci.com> wrote:
>
> perhaps we could back up and ask:
>
> 1) why are you not using the arin/ripe/apnic/japnic/krnic/lacnic poc's for
> these asn's? certainly some are not up to date, but there are a large
> number that are...
> 2) what is this for again?
> 3) are you planning on sending something to these poc's?
> 4) what are you planning on sending to them?
> 5) how often should they expect to see something, and from 'whom'?
> 6) looked at the INCH working group in IETF, thought about using some of
> these evolving standards for your alerts/messags/missives?
> 7) please don't send in bmp files of traceroutes (make the info you send
> in complete and usable... 'I saw a bot on ip 12' is not useable, as an
> fyi)
>
> -Chris
>
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawg@netzero.net or fergdawg@sbcglobal.net
>  ferg's tech blog: http://fergdawg.blogspot.com/
>




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.