nanog mailing list archives

Re: scripts to map IP to AS?

From: "Johannes Ullrich" <jullrich () euclidian com>
Date: Thu, 20 Feb 2003 09:41:09 -0500

There are still 10K-20K hosts spewing M$SQL slammer/sapphire packets, 
and I'd like to start blocking routing to those irresponsible AS's 
that haven't blocked their miscreant customers.


Its too early for such harsh measures. Unless you can live without 
most major consumer ISPs.

I don't have the AS data handy. but here a quick list of the top 20
domains with number of Sapphire infected hosts:


    948 uu.net   ( 943 of which are 'da.uu.net' )
    796 attbi.com   ( 501 are client.attbi.com. 295 client2.attbi.com. )
    490 qwest.net   ( 488 are da.qwest.net )
    445 att.net     ( 438 are dial-access.att.net)
    416 rr.com
    408 btopenworld.com
    395 rasserver.net
    376 comcast.net
    333 ipt.aol.com
    304 com.br
    279 pacbell.net
    272 tpnet.pl
    267 dsl-verizon.net
    259 net.au
    253 ttd.es
    243 cable.rogers.com
    224 mindspring.com  (152 are dialup.mindspring.com)
    220 dyn.optonline.net
    217 net.br
    205 ne.jp


http://isc.sans.org/port_details.html?port=1434
-- 
William Allen Simpson
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32



-- 
--------------------------------------------------------------------
jullrich () euclidian com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

Current thread:

Re: M$SQL cleanup incentives, (continued)
- - - Re: M$SQL cleanup incentives Doug Clements (Feb 22)
    - Re: M$SQL cleanup incentives William Allen Simpson (Feb 22)
    - Re: M$SQL cleanup incentives Doug Clements (Feb 22)
    - Re: M$SQL cleanup incentives jlewis (Feb 22)
    - Re: M$SQL cleanup incentives Stephen Sprunk (Feb 22)
    - Re: M$SQL cleanup incentives jlewis (Feb 22)
    - Re: M$SQL cleanup incentives William Allen Simpson (Feb 22)
    - The good old days (was Re: M$SQL cleanup incentives) Sean Donelan (Feb 24)
    - Re: The good old days (was Re: M$SQL cleanup incentives) Peter Salus (Feb 24)
- Re: scripts to map IP to AS? jlewis (Feb 20)
- Re: scripts to map IP to AS? Johannes Ullrich (Feb 20)
- Re: scripts to map IP to AS? David G. Andersen (Feb 20)
  - Re: scripts to map IP to AS? George Bakos (Feb 20)
    - Re: scripts to map IP to AS? David G. Andersen (Feb 20)
  - Re: scripts to map IP to AS? Martin J. Levy (Feb 20)
    - Re: scripts to map IP to AS? Jake Khuon (Feb 20)
    - Re: scripts to map IP to AS? Valdis . Kletnieks (Feb 20)
    - Re: scripts to map IP to AS? Jake Khuon (Feb 20)
    - being nice to IRR/RADB (Re: scripts to map IP to AS?) E.B. Dreger (Feb 21)
- Re: scripts to map IP to AS? Bradley Dunn (Feb 20)
- Re: scripts to map IP to AS? Travis Dawson (Feb 20)

(Thread continues...)