lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Aug 2006 09:20:49 +0200 From: "mailing lists" <bofn@....org> To: full-disclosure@...ts.grok.org.uk Subject: unsubscribe unsubscribe On Sun, 13 Aug 2006 12:00:10 +0100 (BST) full-disclosure-request@...ts.grok.org.uk wrote > Send Full-Disclosure mailing list submissions to > full-disclosure@...ts.grok.org.uk > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.grok.org.uk/mailman/listinfo/full-disclosure > or, via email, send a message with subject or body 'help' to > full-disclosure-request@...ts.grok.org.uk > > You can reach the person managing the list at > full-disclosure-owner@...ts.grok.org.uk > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Full-Disclosure digest..." > > > Note to digest recipients - when replying to digest posts, please trim your post > appropriately. Thank you. > > > Today's Topics: > > 1. Re: Getting rid of Gadi Evron and Dude VanWinkle (Aaron Gray) > 2. Re: Server Redundancy (wac) > 3. what can be done with botnet C&C's? (fwd) (Gadi Evron) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 13 Aug 2006 01:25:18 +0100 > From: Aaron Gray <angray@...b.net> > Subject: Re: [Full-disclosure] Getting rid of Gadi Evron and Dude > VanWinkle > To: full-disclosure@...ts.grok.org.uk > Message-ID: <44DE716E.8020600@...b.net> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > l4m3r > > vodka hooch wrote: > > hi > > > > for months now we've had to put up > > > > now its time to shut up > > > > how do i setup my gmail? > > > > i know this is unmoderated list but im pulling my hair out to sift > > through the real email > > > > please dont turn full dis into symantec trolltraq, hlp me! :) > > > > -gs > > > > > > ------------------------------------------------------------------------ > > Yahoo! Messenger with Voice. Make PC-to-Phone Calls > > > <http://us.rd.yahoo.com/mail_us/taglines/postman1/*http://us.rd.yahoo.com/evt=39663/*http://voice.yahoo.com> > > > to the US (and 30+ countries) for 2ยข/min or less. > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > ------------------------------------------------------------------------ > > > > No virus found in this incoming message. > > Checked by AVG Free Edition. > > Version: 7.1.405 / Virus Database: 268.10.9/417 - Release Date: 11/08/2006 > > > > > > ------------------------------ > > Message: 2 > Date: Sat, 12 Aug 2006 22:39:16 -0400 > From: wac <waldoalvarez00@...il.com> > Subject: Re: [Full-disclosure] Server Redundancy > To: "Tim Hecktor" <th@...ainbox.de> > Cc: full-disclosure@...ts.grok.org.uk > Message-ID: > <be950f350608121939k48bcaf2ex7d3de004b36bc643@...l.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Hi: > > Thanks I'll check ipvs. > > Regards > Waldo > > On 8/10/06, Tim Hecktor <th@...ainbox.de> wrote: > > > > Hello, > > > > <Isn't there a way to map a name to several IPs? > > <Or use aliases? > > > > Maybe this is what you are looking for: > > > > pandora:~# dig ftp.freenet.de > > > > ; <<>> DiG 9.2.1 <<>> ftp.freenet.de > > ;; global options: printcmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59136 > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 3 > > > > ;; QUESTION SECTION: > > ;ftp.freenet.de. IN A > > > > ;; ANSWER SECTION: > > ftp.freenet.de. 1457 IN CNAME ftp-0.freenet.de. > > ftp-0.freenet.de. 600 IN A 194.97.2.69 > > ftp-0.freenet.de. 600 IN A 194.97.2.70 > > ftp-0.freenet.de. 600 IN A 194.97.2.67 > > ftp-0.freenet.de. 600 IN A 194.97.2.68 > > > > This will map a name to more than one ip and will give you load-balancing > > this way, but not real redundancy. > > To map a service to different hosts redundant you can use a box running > > ipvs. This box can be made redundant with a identical box using mon and > > heartbeat to do ip failover. > > > > Best regards, > > > > Tim Hecktor > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060812/3579b5dd/attachment-0001.html > > ------------------------------ > > Message: 3 > Date: Sun, 13 Aug 2006 01:43:35 -0500 (CDT) > From: Gadi Evron <ge@...uxbox.org> > Subject: [Full-disclosure] what can be done with botnet C&C's? (fwd) > To: full-disclosure@...ts.grok.org.uk > Message-ID: <Pine.LNX.4.21.0608130142220.11492-100000@...uxbox.org> > Content-Type: TEXT/PLAIN; charset=US-ASCII > > Hi guys, here is a forward of my follow-up to the previous message. > > Gadi. > > ---------- Forwarded message ---------- > Date: Sat, 12 Aug 2006 13:12:30 -0500 (CDT) > From: Gadi Evron <ge@...uxbox.org> > To: botnets@...testar.linuxbox.org > Subject: what can be done with botnet C&C's? > > In my last email message I addressed some of the issues related to botnet > C&C's and their mitigation. As mentioned, I waited to see what other > experiences told other people, as well as glimpse the opinion of others here. > > In this message I will try and address some of the questions asked, but > once again limiting myself mostly to JUST networking rather than the whole > realm of botnet fighting. > > "I work on this [C&C] for 30 days, only to find out one of you took it > down." -- US Federal Agent, two days ago, ISOI (DA Workshop). > > And still, sticking to networking issues, as obviously we cannot yet > depend on law enforcement to protect our networks for us, how do we handle > C&C's? > > When we kill them (and by "kill" I naturally mean "report our suspicion > to the responsible authority so they can investigate, confirm and proceed > according to their AUP") we kill them, but only to our knowledge. They > immediately move elsewhere we do not know about in our space or someone > else's, maybe misplacing an extremely smallish percentage of their > population while they are at it. > > Okay, say I am right... What *can* we do? > > We can take advantage: > > 1. QoS and traffic limiting tools. > Many tools created in recent years, and used exstensively by many ISP's, > regardless of any Net Neutrality legislation, are at our disposal and > already implemented on our networks. > > Much like, for business reasons, many of us would limit P2P, how about > limiting the traffic to compromised users? > > How, what and when is up to you. > > You can know who your compromised users are by watching flows to C&C's. > > 2. Blocking communication to C&C's. > > Watch the flows, block the users from communicating out to them. Watch > these users and see where else they are communicating in comparison to > other users, en-masse. > > It's a matter of doing the same thing, for a different purpose. > > 3. Walled garden and tech support costs. > > Obviously, if any of these users call you (and they VERY OFTEN do), you > lose money on them for a long time to come.. only they will call again. > > A combination of quarantine, complete or partial, might work. > > Combine that with what some already do, such as sell users Anti Virus > products, and you get a nice deal. Add to that a support company to lend > help to users, unrelated to tech support, by subscription, and you may > just have more business avenues to explore. > > 4. Stop internal network infections. It is unbelievable how the networks > with the most bots are the networks that allow internal users to connect > wherever they want within the network. > > All these come to show that although responsiveness to C&C's is important > (rather than shutting them down), on the scale of the Internet, what > will actually help the Internet is if you take care of it on your own > network. > > You don't have to do any of these, or all of these. Just to wake up to the > fact that killing C&C's will mostly not help anyone, and if anything, will > do harm. Using them to deal with problematic users, even if only to block > them from acessing that C&C is more to the point. > > You can choose how to handle these issues, but if you want to stop harming > the Internet, stop your users from participating, DDoSing, > etc. while not harming your business (no one can handle that tech > support load). Monitor the C&C's running on your network - contact law > enforcement. These are compromises that will keep happening, you are aware > of, and cause millions of dollars in damages. > > "So, are we supposed to leave these compromised boxes up?" > > My answer is this, if you fail to remove a spy, as another would just take > his place, wouldn't you rather know where that spy is and work to take > him down for good? > > The answer to that is NO, as most of us won't and can't. That said, if you > must kill the C&C, be aware, it is nothing more than sweeping the > problem, localy on your network, as well as on your friends', under the > rag. > > Do you know who your local fed is? See if he can help, he most likely > can't and if he could, without a much wider cooperation between everybody, > he or she would be extremely limited by looking just at your C&C's. That > said, I doubt you would want that fed's attension. > > You can limit P2P traffic yet you won't limit scanning traffic? Outgoing > email traffic from port 25 on dynamic hosts? Bandwidth to > compromised users? Port 80, or sny, traffic not through your proxy? > > Consider what other tools are in your arsenal. My ideas may be completely > wrong for you, yet that does not change the fact that killing the C&C will > just mean you are kept in the dark. > > Some large carriers do many of these already, run honey-nets, and what > not. Do you? > > I would like to hear some opinions on what networks can do, ecnomically, > from people here. Please stick to network operations issues. > > Gadi. > > This is being X-posted to NANOG. > > > > ------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > End of Full-Disclosure Digest, Vol 18, Issue 24 > *********************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists