nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: anti-spam vs network abuse

From: Richard Irving <rirving () onecall net>
Date: Fri, 28 Feb 2003 17:45:09 -0500

Len Rose wrote:


Scanning is always a precursor to an attack, or to determine if any obvious
methodology can be used to attack. At least that's how it has been
historically viewed.


  See my other post. MAPS assists users in closing their "innocent"
relay capable systems. And, FWIW, pro-active probing -can- provide
a great service to the "less than clueful" end users.

Scenario:

   MR. ISP A, we received over 300mbs from your network last
week, as it participated in a 1500-bot attack of K ROOT SERVER...

  We have determined, via access list, that the following IP's 
appear to be the source of this attack, and we suspect have been 
compromised by the "koo-koo-ka-chooo" worm. 

 We have not confirmed the identity of the worm,
as the attack worm has yet to be identified,  and isolated,
conclusively.

 However, we have found all sources that participated in
this attack had port 6667 and ports 7777 open.

This lead us to hypothesize that it was the "koo-koo-ka-choo"
worm...

 Several of these sites are under your Administration....

Attached, please find the list of infected servers....

 Any information regarding this worm, and the servers subsequent
sterilization, would be appreciated.

Signed,

 The Admininstration of -=Your=- NSP.


In my opinion there is no legitimate reason to scan a remote host or network
without the permission of the owners. Otherwise it is in fact excessive
behaviour.


 See above.
Previous By Date Next
Previous By Thread Next

Current thread: