nanog mailing list archives
Re: Sobig.f surprise attack today
From: Mike Tancsa <mike () sentex net>
Date: Thu, 28 Aug 2003 16:12:11 -0400
At 12:54 PM 28/08/2003 -0700, Dan Hollis wrote:
> Alternatively, perhaps we could, instead, publish an INFECTED SYSTEMS > blacklist > based on such connections to a honeypot. Any system which made the correct > request could then have it's address published via BGP or DNS for ISPs and > the like to do as they wish. an infected host dnsrbl doesnt sound like a bad idea...
I dont think this would work too well. The users who are infected often think something is wrong because their connection and computer are not working quite right. So they disconnect / reconnect / reboot so they burn through quite a few dynamic IP addresses along the way.
---Mike
Current thread:
- Re: Sobig.f surprise attack today, (continued)
- Re: Sobig.f surprise attack today Andrew Kerr (Aug 22)
- Re: Sobig.f surprise attack today Jay Hennigan (Aug 22)
- Re: Sobig.f surprise attack today Andrew Kerr (Aug 22)
- Re: Sobig.f surprise attack today Petri Helenius (Aug 22)
- Re: Sobig.f surprise attack today Jay Hennigan (Aug 22)
- Message not available
- Re: Sobig.f surprise attack today Owen DeLong (Aug 22)
- Re: Sobig.f surprise attack today Doug Barton (Aug 22)
- Re: Sobig.f surprise attack today Owen DeLong (Aug 28)
- Re: Sobig.f surprise attack today Dan Hollis (Aug 28)
- Re: Sobig.f surprise attack today Mike Tancsa (Aug 28)
- Re: Sobig.f surprise attack today Petri Helenius (Aug 28)
- Re: Sobig.f surprise attack today Mike Tancsa (Aug 28)
- Re: Sobig.f surprise attack today Patrick Muldoon (Aug 28)
- Re: Sobig.f surprise attack today Damian Gerow (Aug 28)
- Re: Sobig.f surprise attack today Petri Helenius (Aug 28)
- Re: Sobig.f surprise attack today Mike Tancsa (Aug 28)
- Re: Sobig.f surprise attack today steve uurtamo (Aug 22)