lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 14 Aug 2006 09:20:49 +0200
From: "mailing lists" <bofn@....org>
To: full-disclosure@...ts.grok.org.uk
Subject: unsubscribe

unsubscribe



 On Sun, 13 Aug 2006 12:00:10 +0100 (BST)
full-disclosure-request@...ts.grok.org.uk wrote
> Send Full-Disclosure mailing list submissions to
> 	full-disclosure@...ts.grok.org.uk
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.grok.org.uk/mailman/listinfo/full-disclosure
> or, via email, send a message with subject or body 'help' to
> 	full-disclosure-request@...ts.grok.org.uk
> 
> You can reach the person managing the list at
> 	full-disclosure-owner@...ts.grok.org.uk
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Full-Disclosure digest..."
> 
> 
> Note to digest recipients - when replying to digest posts, please trim your post
> appropriately. Thank you.
> 
> 
> Today's Topics:
> 
>    1. Re: Getting rid of Gadi Evron and Dude VanWinkle (Aaron Gray)
>    2. Re: Server Redundancy (wac)
>    3. what can be done with botnet C&C's? (fwd) (Gadi Evron)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sun, 13 Aug 2006 01:25:18 +0100
> From: Aaron Gray <angray@...b.net>
> Subject: Re: [Full-disclosure] Getting rid of Gadi Evron and Dude
> 	VanWinkle
> To: full-disclosure@...ts.grok.org.uk
> Message-ID: <44DE716E.8020600@...b.net>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> l4m3r
> 
> vodka hooch wrote:
> > hi
> >  
> > for months now we've had to put up
> >  
> > now its time to shut up
> >  
> > how do i setup my gmail?
> >  
> > i know this is unmoderated list but im pulling my hair out to sift 
> > through the real email
> >  
> > please dont turn full dis into symantec trolltraq, hlp me! :)
> >  
> > -gs
> >  
> >
> > ------------------------------------------------------------------------
> > Yahoo! Messenger with Voice. Make PC-to-Phone Calls 
> >
>
<http://us.rd.yahoo.com/mail_us/taglines/postman1/*http://us.rd.yahoo.com/evt=39663/*http://voice.yahoo.com>
> 
> > to the US (and 30+ countries) for 2ยข/min or less.
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> > ------------------------------------------------------------------------
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.405 / Virus Database: 268.10.9/417 - Release Date: 11/08/2006
> >   
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Sat, 12 Aug 2006 22:39:16 -0400
> From: wac <waldoalvarez00@...il.com>
> Subject: Re: [Full-disclosure] Server Redundancy
> To: "Tim Hecktor" <th@...ainbox.de>
> Cc: full-disclosure@...ts.grok.org.uk
> Message-ID:
> 	<be950f350608121939k48bcaf2ex7d3de004b36bc643@...l.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Hi:
> 
> Thanks I'll check ipvs.
> 
> Regards
> Waldo
> 
> On 8/10/06, Tim Hecktor <th@...ainbox.de> wrote:
> >
> >  Hello,
> >
> > <Isn't there a way to map a name to several IPs?
> > <Or use aliases?
> >
> > Maybe this is what you are looking for:
> >
> > pandora:~# dig ftp.freenet.de
> >
> > ; <<>> DiG 9.2.1 <<>> ftp.freenet.de
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59136
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 3
> >
> > ;; QUESTION SECTION:
> > ;ftp.freenet.de.                        IN      A
> >
> > ;; ANSWER SECTION:
> > ftp.freenet.de.         1457    IN      CNAME   ftp-0.freenet.de.
> > ftp-0.freenet.de.       600     IN      A       194.97.2.69
> > ftp-0.freenet.de.       600     IN      A       194.97.2.70
> > ftp-0.freenet.de.       600     IN      A       194.97.2.67
> > ftp-0.freenet.de.       600     IN      A       194.97.2.68
> >
> > This will map a name to more than one ip and will give you load-balancing
> > this way, but not real redundancy.
> > To map a service to different hosts redundant you can use a box running
> > ipvs. This box can be made redundant with a identical box using mon and
> > heartbeat to do ip failover.
> >
> > Best regards,
> >
> > Tim Hecktor
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
>
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060812/3579b5dd/attachment-0001.html
> 
> ------------------------------
> 
> Message: 3
> Date: Sun, 13 Aug 2006 01:43:35 -0500 (CDT)
> From: Gadi Evron <ge@...uxbox.org>
> Subject: [Full-disclosure] what can be done with botnet C&C's? (fwd)
> To: full-disclosure@...ts.grok.org.uk
> Message-ID: <Pine.LNX.4.21.0608130142220.11492-100000@...uxbox.org>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> 
> Hi guys, here is a forward of my follow-up to the previous message.
> 
> 	Gadi.
> 
> ---------- Forwarded message ----------
> Date: Sat, 12 Aug 2006 13:12:30 -0500 (CDT)
> From: Gadi Evron <ge@...uxbox.org>
> To: botnets@...testar.linuxbox.org
> Subject: what can be done with botnet C&C's?
> 
> In my last email message I addressed some of the issues related to botnet
> C&C's and their mitigation. As mentioned, I waited to see what other
> experiences told other people, as well as glimpse the opinion of others here.
> 
> In this message I will try and address some of the questions asked, but
> once again limiting myself mostly to JUST networking rather than the whole
> realm of botnet fighting.
> 
> "I work on this [C&C] for 30 days, only to find out one of you took it
> down."  -- US Federal Agent, two days ago, ISOI (DA Workshop).
> 
> And still, sticking to networking issues, as obviously we cannot yet
> depend on law enforcement to protect our networks for us, how do we handle
> C&C's?
> 
> When we kill them (and by "kill" I naturally mean "report our suspicion
> to the responsible authority so they can investigate, confirm and proceed
> according to their AUP") we kill them, but only to our knowledge. They
> immediately move elsewhere we do not know about in our space or someone
> else's, maybe misplacing an extremely smallish percentage of their
> population while they are at it.
> 
> Okay, say I am right... What *can* we do?
> 
> We can take advantage:
> 
> 1. QoS and traffic limiting tools.
> Many tools created in recent years, and used exstensively by many ISP's,
> regardless of any Net Neutrality legislation, are at our disposal and
> already implemented on our networks.
> 
> Much like, for business reasons, many of us would limit P2P, how about
> limiting the traffic to compromised users?
> 
> How, what and when is up to you.
> 
> You can know who your compromised users are by watching flows to C&C's.
> 
> 2. Blocking communication to C&C's.
> 
> Watch the flows, block the users from communicating out to them. Watch
> these users and see where else they are communicating in comparison to
> other users, en-masse.
> 
> It's a matter of doing the same thing, for a different purpose.
> 
> 3. Walled garden and tech support costs.
> 
> Obviously, if any of these users call you (and they VERY OFTEN do), you
> lose money on them for a long time to come.. only they will call again.
> 
> A combination of quarantine, complete or partial, might work.
> 
> Combine that with what some already do, such as sell users Anti Virus
> products, and you get a nice deal. Add to that a support company to lend
> help to users, unrelated to tech support, by subscription, and you may
> just have more business avenues to explore.
> 
> 4. Stop internal network infections. It is unbelievable how the networks
> with the most bots are the networks that allow internal users to connect
> wherever they want within the network.
> 
> All these come to show that although responsiveness to C&C's is important
> (rather than shutting them down), on the scale of the Internet, what
> will actually help the Internet is if you take care of it on your own
> network.
> 
> You don't have to do any of these, or all of these. Just to wake up to the
> fact that killing C&C's will mostly not help anyone, and if anything, will
> do harm. Using them to deal with problematic users, even if only to block
> them from acessing that C&C is more to the point.
> 
> You can choose how to handle these issues, but if you want to stop harming
> the Internet, stop your users from participating, DDoSing,
> etc. while not harming your business (no one can handle that tech
> support load). Monitor the C&C's running on your network - contact law
> enforcement. These are compromises that will keep happening, you are aware
> of, and cause millions of dollars in damages.
> 
> "So, are we supposed to leave these compromised boxes up?"
> 
> My answer is this, if you fail to remove a spy, as another would just take
> his place, wouldn't you rather know where that spy is and work to take
> him down for good?
> 
> The answer to that is NO, as most of us won't and can't. That said, if you
> must kill the C&C, be aware, it is nothing more than sweeping the
> problem, localy on your network, as well as on your friends', under the
> rag.
> 
> Do you know who your local fed is? See if he can help, he most likely
> can't and if he could, without a much wider cooperation between everybody,
> he or she would be extremely limited by looking just at your C&C's. That
> said, I doubt you would want that fed's attension.
> 
> You can limit P2P traffic yet you won't limit scanning traffic? Outgoing
> email traffic from port 25 on dynamic hosts? Bandwidth to
> compromised users? Port 80, or sny, traffic not through your proxy?
> 
> Consider what other tools are in your arsenal. My ideas may be completely
> wrong for you, yet that does not change the fact that killing the C&C will
> just mean you are kept in the dark.
> 
> Some large carriers do many of these already, run honey-nets, and what
> not. Do you?
> 
> I would like to hear some opinions on what networks can do, ecnomically,
> from people here. Please stick to network operations issues.
> 
> 	Gadi.
> 
> This is being X-posted to NANOG.
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> End of Full-Disclosure Digest, Vol 18, Issue 24
> ***********************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists