Re: botnet reporting by AS - what about you?

["Hannigan, Martin" <hannigan () verisign com>]

I was on it and unsubscribed. They wouldn't disclose the collection or validation process at that time. This made it 
useless for the most part as its hard to act on someones word without some idea of how they are getting their data and 
avoiding collateral damage.

I'm not saying there aren't valid zombies on it, but my criteria for a list that identifies rogues includes trust. I 
have lists I felt were more trustworthy than DA.

Things may have changed. 

Martin



 -----Original Message-----
From:   Christopher L. Morrow [mailto:christopher.morrow () mci com]
Sent:   Fri Aug 12 23:56:53 2005
To:     Fergie (Paul Ferguson)
Cc:     nanog () merit edu
Subject:        Re: botnet reporting by AS - what about you?




On Sat, 13 Aug 2005, Fergie (Paul Ferguson) wrote:

> Chris,
>
> I can assure you that the Drone Army project is not run that
> way, and is quite useful, effective, etc.
>
> The folks behind the DA Project are certainly professionals...
> ...and the infromation is quite useable, parse-able, and genuine.

cool, among the 800k+ complaints we see a month (yes, 800k) there are
quite a few completely useless ones :( Anything sent in as a complaint has
to have complete and useful information, else it's hard/impossible to
action properly.

It'd help if the format it was sent in was also machine parseable :) With
800k+ complaints/month I'm not sure people want to spend time figuring
each one out, a script/machine should be doing as much as possible.

> - ferg
>
> -- "Christopher L. Morrow" <christopher.morrow () mci com> wrote:
>
> perhaps we could back up and ask:
>
> 1) why are you not using the arin/ripe/apnic/japnic/krnic/lacnic poc's for
> these asn's? certainly some are not up to date, but there are a large
> number that are...
> 2) what is this for again?
> 3) are you planning on sending something to these poc's?
> 4) what are you planning on sending to them?
> 5) how often should they expect to see something, and from 'whom'?
> 6) looked at the INCH working group in IETF, thought about using some of
> these evolving standards for your alerts/messags/missives?
> 7) please don't send in bmp files of traceroutes (make the info you send
> in complete and usable... 'I saw a bot on ip 12' is not useable, as an
> fyi)
>
> -Chris
>
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawg () netzero net or fergdawg () sbcglobal net
>  ferg's tech blog: http://fergdawg.blogspot.com/