nanog mailing list archives
RE: Infected list
From: "Scott Morris" <swm () emanon com>
Date: Mon, 26 Dec 2005 14:14:32 -0500
Not to mention that many IP's may be set to one device, yet there are multiple things NAT'd behind it. Perhaps they're even non-related folks. Do we go after the ISP, the smaller ISP, the Starbucks WiFi hotspot (example), or the user with the compromised laptop that plugged in a whatever time that was??? Scott -----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Richard Cox Sent: Monday, December 26, 2005 12:24 PM To: nanog () merit edu Subject: Re: Infected list On Sun, 25 Dec 2005 13:33:44 -0600 (CST) Rob Thomas <robt () cymru com> wrote:
Here is Barrett's list, including and sorted by ASN.
And even that won't be sufficient for many networks to take action. A lot of people provide lists of the IPs that spam/attack/etc them, but do not provide the actual time. Since many "consumer" networks are running DHCP, they will have no way to know which of their many customers using the claimed IP on the day in question was actually an attacker, and so they will almost certainly ignore such a report. To get action, lists of compromised (etc) systems NEED to include: Date/Time (preferably UTC), exact IP (as hostnames can have multiple A-records) and AS number. -- Richard
Current thread:
- Infected list Barrett G. Lyon (Dec 25)
- Re: Infected list Rob Thomas (Dec 25)
- Re: Infected list Richard Cox (Dec 26)
- Re: Infected list Rob Thomas (Dec 26)
- RE: Infected list Scott Morris (Dec 26)
- Re: Infected list Florian Weimer (Dec 26)
- RE: Infected list Scott Morris (Dec 26)
- Re: Infected list Richard Cox (Dec 26)
- Re: Infected list Rob Thomas (Dec 25)