Web Honeynet Project IDs Attackers

← Back to Stories (view on slashdot.org)

Web Honeynet Project IDs Attackers

Posted by Zonk on Friday January 26, 2007 @09:33PM from the they-can-see-youuuu dept.

narramissic writes "The Web Honeynet Project, an independent group of Honeynet researchers from Securiteam and the ITOSF, is putting a new twist on Web application honeynets by naming not only the attack details, but the IP addresses and other tracking information about the attackers as well. As security consultant Brent Huston notes, 'This approach is not unheard of, as lists of known high-volume attackers have been circulating through the Net for several years, but this is the first time someone has applied the honeynet concept to making attacker IP data publicly known.'"

70 comments

Min score:

Reason:

Sort:

Lawsuits? by beakerMeep · 2007-01-26 21:37 · Score: 3, Insightful

I wonder if it's just a matter of time before someone sues them for defamation. But still a good thing they are doing. the more pressure on spammers the better.

--
meep
1. Re:Lawsuits? by deft · 2007-01-26 21:45 · Score: 4, Informative
  
  I believe defamation is when you say somebody did something they -didn't- do. otherwise you're just stating a fact. (I could be wrong though.)
  
  For instance, I could say your post was legally incorrect; and if I'm right, then that is a fact, not defamation. If I said you're a big doo doo head for doing that.... defamation!
  
  (making it the first declaration of defecation description defamation ever).
  
  --
  
  There's nothing Intelligent about Intelligent Design.
2. Re:Lawsuits? by cheater512 · 2007-01-26 22:03 · Score: 1
  
  And since when has that stopped anyone? They'll try anyway.
3. Re:Lawsuits? by Anonymous Coward · 2007-01-26 22:07 · Score: 0
  
  The truth certainly didn't put a stop the McLibel case did it?
4. Re:Lawsuits? by beakerMeep · 2007-01-26 22:16 · Score: 5, Interesting
  
  I think you have it backwards
  as far as i know you can call me a big doo doo head all you want. but what you cant say is that my post is "killing babies in 3rd world contries" (who knew my post had that kind of power?). The point is though just because the lawsuits would be baseless if the spammer really -did- spam, that isnt something that has prevented someone from suing and pretending they arent a spammer to win damages and intimidate the anti-spam community.
  for more on defamation: http://en.wikipedia.org/wiki/Slander_and_libel
  Burden of proof on the defendant
  In most legal systems the courts give the benefit of the doubt to the defendant. In criminal law, he or she is presumed innocent until the prosecution can prove guilt beyond a reasonable doubt; whereas in civil law, he or she is presumed innocent until the plaintiff can show liability on a balance of probabilities. However, in defamation tort, this burden of proof is reversed: the defendant has the burden to prove the truth of the defamatory communication. The plaintiff only has the burden of proving that the publisher made the statement and that the statement was defamatory, the untruth of that statement is then presumed.
  
  # Opinion is a defense recognized in nearly every jurisdiction. If the allegedly defamatory assertion is an expression of opinion rather than a statement of fact, defamation claims usually cannot be brought because opinions are inherently not falsifiable. However, some jurisdictions decline to recognize any legal distinction between fact and opinion. The United States Supreme Court, in particular, has ruled that the First Amendment does not require recognition of an opinion privilege.
  
  --
  meep
5. Re:Lawsuits? by WrongSizeGlass · 2007-01-26 22:54 · Score: 3, Funny
  
  as far as i know you can call me a big doo doo head all you want. but what you cant say is that my post is "killing babies in 3rd world contries" I promise not to call you a 'big doo doo head' if you promise to restrain your posts in a fashion that prevents them from harming those poor babies in 3rd world countries, because let's face it, Madonna can't save them all.
  Won't somebody think of he children!
6. Re:Lawsuits? by Threni · 2007-01-27 00:50 · Score: 1
  
  Exactly. I know website owners who get angry but ignorant people complaining that the site owners are sending them spam (their details are being given as spoof return addresses). Now other innocent people will have their machines taken over and used in all manner of ways and someone will add their IP address to a list of `known spammers` or hackers or whatever. I guess that's easier than doing the job properly.
7. Re:Lawsuits? by discord5 · 2007-01-27 02:02 · Score: 3, Insightful
  
  But still a good thing they are doing
  
  *cough* PROXY *cough*
  
  Seriously, anyone doing something nasty on the net is using a proxy, either one from the lists, tor or another hacked machine. Publishing these IP addresses is complete rubbish. It'll point to some machine on the net along a chain of connections.
8. Re:Lawsuits? by Lord+Ender · 2007-01-27 03:03 · Score: 1
  
  Brent is aware of this. It is still useful to know which networks have security so lax that they are regularly used as hacking proxies.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
9. Re:Lawsuits? by cryptor3 · 2007-01-27 03:21 · Score: 1
  
  I feel like the grandparent's point is that truth is an ultimate defense for a charge of slander/libel. And I see that your point is that you have a right to state whatever opinion statements you want, and that spammers have won their suits even though they probably didn't deserve to. But no matter how shocking his statement about you is, if it is true, he has a right to say it. Yes he might go to court for it, if he can prove it, no one can fault him for doing making that statement.
  
  If your post really did kill a baby in a third world country, he could say it, because it was true. Sure you could charge him with defamation, but if the statement were true, and he can prove it, then he did not commit defamation.
10. Re:Lawsuits? by FLEB · 2007-01-27 05:24 · Score: 2, Insightful
  
  The number of proxies that intentionally allow attacks can be filtered. The proxies and zombies that don't can remedy the problem... or be filtered.
  
  --
  Information wants to be free.
  Entertainment wants to be paid.
  You just want to be cheap.
11. Re:Lawsuits? by HiThere · 2007-01-27 06:43 · Score: 1
  
  You're ignoring the costs.
  If you could prove that it was true, but can't afford the legal fees, you lose anyway.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
12. Re:Lawsuits? by Anonymous Coward · 2007-01-27 06:46 · Score: 0
  
  I believe defamation is when you say somebody did something they -didn't- do. otherwise you're just stating a fact.
  You're still defaming them, you just don't have to pay.
13. Re:Lawsuits? by deft · 2007-01-27 06:47 · Score: 1
  
  ah yes, because the doo doo head thing would be my opinion, the babies death would be a lie... and thats the defamation. im allowed to say you're an asshat in my opinion.... just not a murdering asshat.
  
  so not entirely backwards.
  
  --
  
  There's nothing Intelligent about Intelligent Design.
How to fix Windows' security issues by Anonymous Coward · 2007-01-26 21:51 · Score: 0, Offtopic

Place a PF firewall in front of your core routers (FreeBSD, NetBSD, OpenBSD) and add this:

block in drop quick on $ext_if proto {tcp, udp} from any to any os Windows

Glass
1. Re:How to fix Windows' security issues by Kream · 2007-01-26 21:59 · Score: 1, Offtopic
  
  For those running Linux, pf also runs on Gentoo :)
2. Re:How to fix Windows' security issues by Anonymous Coward · 2007-01-27 03:49 · Score: 0
  
  Huh? Maybe if you're running x86-freebsd... I don't see any ebuilds for Linux though.
  
  Have a link or something?
3. Re:How to fix Windows' security issues by ArcherB · 2007-01-27 04:48 · Score: 1
  
  Don't mod posts as offtopic when they are in response to another post. Mod the parent as offtopic!
  
  By the way, I hope they make an example out of a few of these punks. I would really like to see them let loose in a room full of the IT departments that they attacked.!
  
  --
  There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
4. Re:How to fix Windows' security issues by Anonymous Coward · 2007-01-27 06:27 · Score: 0
  
  Or you could just Stop Running Windows!
5. Re:How to fix Windows' security issues by Achromatic1978 · 2007-01-27 11:29 · Score: 1
  
  By the way, I hope they make an example out of a few of these punks. I would really like to see them let loose in a room full of the IT departments that they attacked.!
  
  Me too. I picture a bunch of dorks attacking someone with underarm odour, fetid breath, and if they really want to get hardcore on his ass, their Darth Maul lightsabers.
If this can happen... by houstonbofh · 2007-01-26 22:04 · Score: 4, Interesting

Think of this as a first step. Next more honeynets start making lists, and a new realtime blackhole routing list is born! Stop the botnets at the gates of the core. More bandwidth for everyone, and the people cut off will get the hint to fix/patch the damn PC!
1. Re:If this can happen... by hadhad69 · 2007-01-26 23:00 · Score: 1
  
  and the people cut off will get the hint to fix/patch the damn PC!
  
  Or Dells customer service hotline will start getting bombarded even more so than it is already!
  
  --
  If you can read this, it's already too late.
2. Re:If this can happen... by AlHark · 2007-01-26 23:03 · Score: 4, Interesting
  
  It definitely would make for a great block list for mail servers and security appliances. One simple thing email admins can do to stop BotNet traffic is to drop SMTP connections that do not have a reverse PTR DNS record, generally ISP's only assign reverse DNS to IP addresses that have services running on them (i.e.: email, web, ftp, etc.). Although I have seen quite a few IP's ordinating in Asia that have reverse DNS PTR. We drop traffic with no reverse dns and it stopped a huge number (about 85%) of dynamic IP's and end user IP connections without causing any problems for legitimate SMTP traffic. The flood became a trickle...
  
  --
  Allen Harkleroad - www.fivemilliondots.com
3. Re:If this can happen... by chaosite · 2007-01-26 23:04 · Score: 2, Insightful
  
  Well, its not "realtime". When do you remove a patched zombie machine? After a month? 2 weeks? This solution doesn't take into account the hordes of otherwise legitimate zombie machines. It won't stop attackers, IMO.
4. Re:If this can happen... by 140Mandak262Jamuna · 2007-01-26 23:54 · Score: 2, Insightful
  
  OK, someone had such poor security that his/her machine gets rooted. Why should it be anyone else's responsibility to mark it legitimate as soon as it has been fixed? Why should it be easy to re-legitimize machines/ip addresses that get compromised. Let them jump through the hoops. Let them suffer a little. May be it will serve as a lesson for others to take security seriously.
  Only when the consequences of allowing one's machines to be zombified is serious and high people will take security seriously.
  
  --
  sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
5. Re:If this can happen... by faloi · 2007-01-27 00:03 · Score: 2, Insightful
  
  Only when the consequences of allowing one's machines to be zombified is serious and high people will take security seriously.
  
  "I never could get that darn cable modem to work right after a while. So I swapped to DSL and it's fine again!"
  
  I think you're overestimating the people this is likely to catch. Most companies are likely to have reasonable security. Most knowledgeable home users are going to have reasonable security. It's the guy that has no idea what they're doing that's going to get in trouble. And I'm betting they're just as likely to swap service providers as they are to think something's wrong with their box. Unless you want to pay more for broadband so they can have the manpower necessary to keep up with blocked machines and make the end users aware...
  
  --
  "It is a miracle that curiosity survives formal education." -Albert Einstein
6. Re:If this can happen... by WaXHeLL · 2007-01-27 00:13 · Score: 1
  
  And you may also lose out on a significant portion of very small businesses and individuals who aren't willing to pay the "fees" that are associated with PTR DNS records.
  
  --
  The troll with karma.
7. Re:If this can happen... by PopeRatzo · 2007-01-27 00:14 · Score: 1
  
  And I'm betting they're just as likely to swap service providers as they are to think something's wrong with their box.
  How many times you think they're going to do that? How many ISPs are there in most places. They'll get the message. And if they don't... 'ef 'em.
  
  --
  You are welcome on my lawn.
8. Re:If this can happen... by AlHark · 2007-01-27 00:19 · Score: 1
  
  The whole point is to limit reverse DNS PTR records to only IP address (i.e.: servers, gateways, routers, etc.) that have legitimate services running like: email, DNS, email, WWW, FTP, SQL, etc. End users and small business do not need (read: should not have) reverse DNS records unless they are running in-house services such as those mentioned above.
  
  --
  Allen Harkleroad - www.fivemilliondots.com
9. Re:If this can happen... by Monoman · 2007-01-27 01:18 · Score: 3, Interesting
  
  A more effective method would be to redirect web clients to a page explaining they are being blocked/quarantined, why they are being blocked, and how they can become unblocked.
  
  I'm sure it would be next to impossible to get this system up but its one idea.
  
  --
  Keep the Classic Slashdot.
10. Re:If this can happen... by Anonymous Coward · 2007-01-27 01:20 · Score: 0
  
  Ya know, I really hate being the smartest MoFo on this planet. Seriously, I really do!
  
  "It's the guy that has no idea what they're doing that's going to get in trouble."
  
  It is EXACTLY these f***tards we WANT to KEEP OFF the internet, to keep them from plugging up our intartubes. Duh. Sheesh.
  
  So they switch providers and soon it happens to them again. Maybe they think it's a problem with their PC. That's where I come in, a PC technician. I fix their problem, explain to them what has happened, instruct them how to not let it happen again. I tailor my educating them in the lowest level they can understand (my business practice, my patience).
  
  Joe Intartube User=Satisfied, and smarter.
  Intartubes=One less clog.
  Me=Shooting fish in a... er... MegaProfit!
11. Re:If this can happen... by Short+Circuit · 2007-01-27 01:29 · Score: 1
  
  If you really want to only accept mail from a computer that has mail services running, why not send a SYN packet to port 25 of the sending IP, and see if you get a RST packet in response?
  
  You don't have to set up a full connection, and you can set a timeout for waiting for the reponding packet. (Though, if it were me, I'd probably have a cache table I'd check against first. If I receive 4000 emails from a server, I don't want to SYN flood the poor thing.)
  
  --
  tasks(723) drafts(105) languages(484) examples(29106)
12. Re:If this can happen... by cheater512 · 2007-01-27 01:53 · Score: 0, Troll
  
  Ooh! I've always wanted to blacklist AOL's IP space.
  
  Thanks to these new honey pots I don't even have to do anything. :D
13. Re:If this can happen... by AlHark · 2007-01-27 02:03 · Score: 1
  
  sending a syn packet to port 25 only verifies that a service is indeed running on that port, it won't tell you if it is a legitimate mail server or other SMTP service. While of course a reverse DNS record doesn't tell you either it does reduce the amount of SMTP connections from non legitimate sources. SPF records can help along with reverse DNS to weed out BotNet and Trojaned PC traffic as well as spammer operations as they rarely have reverse DNS records either, due to the fact that they move around so much trying to avoid blocking via RBL's and the like.
  
  --
  Allen Harkleroad - www.fivemilliondots.com
14. Re:If this can happen... by chaosite · 2007-01-27 04:20 · Score: 1
  
  Because the system is really ripe for abuse.
  
  All you had to do to get an IP banned, is show some honeypot logs. Maybe spoof some IPs. Too easy.
  Its the same problem really with todays spam black lists. Its really hard to get off one, because the second you get into one (even via a joejob) people assume you're guilty.
  
  Societal problem, meet technological solution, etc, etc...
15. Re:If this can happen... by Anonymous Coward · 2007-01-27 05:08 · Score: 1, Insightful
  
  So "legitimate" is defined as "paying for the reverse DNS record", not as "Someone intended to set up a mail server to use"?
16. Re:If this can happen... by Anonymous Coward · 2007-01-27 07:19 · Score: 0
  
  I thought the same. This kind of sysadmin that appeared after the 90's really fucked internet freedom with the help of their spammer colleagues. I doubt someone from the old school would think it's reasonable to stop people without much resources from hosting their own services.
17. Re:If this can happen... by 140Mandak262Jamuna · 2007-01-28 05:01 · Score: 1
  
  Well, there should be consequences for falsely implicating an innocent party. Yes, it would be very difficult for the innocent party to prove its innocence. But when it does, the accuser should lose credibility too. Heck, with the amount of traffic slashdot gets, (netcraft ransk slashdot traffic to be in the top 100 most visited sites) slashdot is able to be relatively spam free. Even wikipedia with its high ranking is able to get some kind of usable trust building system. A similar networks of trust can be built.
  
  --
  sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
18. Re:If this can happen... by dwayrynen · 2007-01-28 11:16 · Score: 1
  
  It used to be, though it's not so popular any more, that web servers defaulted to collecting in-addr.arpa names for the incoming browser requests. If the incoming ip didn't have something set up for it's reverse ptr record, the web server would stall out trying to obtain that information. This lead to increased load on the web server (and why it's not the default any more) and a really bad browsing experience for the web client.
  
  Any service provider that has users on ips without ptr records is doing a disservice to their users and to the net at large.
19. Re:If this can happen... by dwayrynen · 2007-01-28 11:21 · Score: 1
  
  Simplicita ZBX http://simplicita.com/ does something like that now, but it's for blocking your own users traffic prior to letting it out onto the Internet at large, not for redirect clients on the network the users are browsing.
20. Re:If this can happen... by AlHark · 2007-01-28 13:01 · Score: 1
  
  with SMTP, it depends on the mail server software and what you set it up to do, most modern mail software you can set options on incoming (SMTP) and outgoing (POP) mail. For instance we use Alt-N Mdaemon mail server software and it has several excellent options you can set on SMTP connection, one of which is to drop SMTP connections with no reverse record. Nearly all legitimate mail server (probably 99.9% of them) have reverse DNS PTR records, because without them mail would fail a good bit without a reverse look-up, as would other services like WWW services. I will have to give credit to most large ISP's, that they do not create reverse PTR for dynamic IP ranges like dial-up, DSL, etc., which is a good thing as most end users (read home users) do not have services running that require reverse DNS. Also creating reverse DNS for every single IP on a network would be an arduous job, so it is a good practice to only assign reverse for IP's that actually have services that rely on reverse DNS. I would consider a networks admin to think that only having reverse DNS setup for IP that had legitimate services to be a "Best Practice" and also a time saver for DNS administrators.
  
  --
  Allen Harkleroad - www.fivemilliondots.com
21. Re:If this can happen... by redcane · 2007-01-29 21:06 · Score: 1
  
  I have set up my own mail server so I can tune my mail filtering to my own liking, and not have to rely on whichever ISP I'm using at the moment (I'm happy to switch ISPs when I find a better deal). Of course I also save money by not paying for ISP spam filtering. I would have to pay extra to get a reverse DNS PTR, but my email server sends no spam. Unfortunately it sometimes gets blocked, bit of a hassle, but I just generally don't talk to those people or I don't give them my business. There's plenty of people out there who aren't interested in knocking the little guy out of the game.
22. Re:If this can happen... by AlHark · 2007-01-29 21:23 · Score: 1
  
  I have never heard of of an ISP charging to add a simple reverse DNS PTR record for an IP, it takes like 1/2 second to add one to a DNS record. If they have assigned you a static IP address you should be able to get the reverse record added for nothing as it is just a DNS update.
  
  --
  Allen Harkleroad - www.fivemilliondots.com
GNAA Welcomes Martha Home by Anonymous Coward · 2007-01-26 22:37 · Score: -1, Troll
GNAA Welcomes Martha Home
GNAA Welcomes Martha Home
(Bedford, CT. - DEVELOPING) Chief Eastern Seaboard GNAA Operative Gary Niger today wished a warm, gay welcome home to Martha Stewart, source of some of our favorite recipes!
Without Martha, the twice-yearly GNAA embroidering circle would be a shell of what it is today. Without Martha's timeless advice, the Gaynigger-seed poundcake we presented to timecop last week would have surely been missing essential plumpness and flavor.
The GNAA thanks Martha for all that she has given to us as gay niggers. When the final hour arrives and women are expunged from the planet, Martha may well be given the second chance the SEC so far has been unwilling to give.
About GNAA:
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY ?
Are you a NIGGER ?
Are you a GAY NIGGER ?

If you answered "Yes" to all of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America and the World! You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!
- First, you have to obtain a copy of GAYNIGGERS FROM OUTER SPACE THE MOVIE and watch it. You can download the movie (~130mb) using BitTorrent.
- Second, you need to succeed in posting a GNAA First Post on slashdot.org, a popular "news for trolls" website.
- Third, you need to join the official GNAA irc channel #GNAA on irc.gnaa.us, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today! Upon submitting your application, you will be required to submit links to your successful First Post, and you will be tested on your knowledge of GAYNIGGERS FROM OUTER SPACE.

If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is NiggerNET, and you can connect to irc.gnaa.us as our official server. Follow this link if you are using an irc client such as mIRC.

If you have mod points and would like to support GNAA, please moderate this post up.

.________________________________________________. | ______________________________________._a,____ | Press contact: | _______a_._______a_______aj#0s_____aWY!400.___ | Gary Niger | __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ | gary_niger@gnaa.us | _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ | GNAA Corporate Headquarters | _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ | 143 Rolloffle Avenue | ________"#,___*@`__-N#____`___-!^_____________ | Tarzana, California 91356 | _________#1__________?________________________ | | _________j1___________________________________ | All other inquiries: | ____a,___jk_GAY_NIGGER_ASSOCIATION_OF_AMERICA_ | Enid Al-Punjabi | ____!4yaa#l____________________________
Nuke 'em by Anne+Thwacks · 2007-01-26 22:39 · Score: -1, Offtopic

I say we nuke 'em from high obit. Its the only way to be sure!

--
Sent from my ASR33 using ASCII
1. Re:Nuke 'em by Anonymous Coward · 2007-01-26 23:14 · Score: -1, Offtopic
  
  Fuck'in'ay.
  
  But in all honesty, Vasquez, in this case I think rolling in a few canisters CN-20 nerve gas probably will do the job. Besides, think of the satisfaction to be had watching them twitch and foam.
2. Re:Nuke 'em by Anonymous Coward · 2007-01-27 00:52 · Score: 0
  
  I see we have some rather humour-deficient mods in the house tonight.
Yeah but where? by jginspace · 2007-01-27 00:49 · Score: 1

I looked for the data mentioned in the summary and all I could find was this from the Securiteam blog (posted Jan 12). Is that it? Interestingly it says the name of the project has been changed from "Web Honeynet Project" to "Web Honeynet Task Force".
This may just exacerbate the botnet issue. by Short+Circuit · 2007-01-27 01:21 · Score: 1

This may just exacerbate the botnet issue. Think about it; if most attacks are relayed through bots, and bots are vulnerable Windows machines, then this kind of effort is only publicizing lists of IPs where vulnerable Windows machines reside.

That sounds like a dream-come-true for attackers.

--
tasks(723) drafts(105) languages(484) examples(29106)
1. Re:This may just exacerbate the botnet issue. by CdBee · 2007-01-27 01:31 · Score: 3, Interesting
  
  Some attackers are more direct, though
  
  Recently I, through curiosity, had a look at the website of the North Korean government while using a PC that had a software firewall but wasn't behind a NAT router. Literally seconds later the machine reported sustained attacks using several vectors, all originating from a range of 4 IPs located in Seoul, S.Korea.
  
  I wonder if the democratic peoples's republic (hah!) of North Korea knows its web server is apparently being monitored...
  
  --
  I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
2. Re:This may just exacerbate the botnet issue. by Aladrin · 2007-01-27 01:33 · Score: 1
  
  That's just the first layer, though. Once about 20 attackers hit the same machine, the person is going to notice that their 'intarwebs are teh slow' and either get a friend to 'fix' it (probably with an OS reinstall) or take it to a shop, where the same thing is likely to happen if they are that infected. If they take it to the shop, they're likely to get the protection they need, and if their friend has to fix it 3 weeks in a row, they're likely to take it to a shop when he screams at them.
  
  Things usually get worse before they get better, and this seems to be no exception.
  
  --
  "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
3. Re:This may just exacerbate the botnet issue. by Short+Circuit · 2007-01-27 01:55 · Score: 2, Insightful
  
  I run a free pc clinic, and I've seen people wait up to a year before getting their computer fixed. Usually, though, it's more like three or four months, and that's only if the computer is unusably slow.
  
  While handing out fliers on Wednesday, I encountered people who were certain their computers had viruses, but hadn't planned to do anything about it.
  
  The followup you're describing sounds like the ???? stage in the standard three-step business plan.
  
  --
  tasks(723) drafts(105) languages(484) examples(29106)
4. Re:This may just exacerbate the botnet issue. by Aladrin · 2007-01-27 02:25 · Score: 1
  
  Some people will always be idiots. You can't stop that. The rest of the world can be helped.
  
  As for the 'usually three or four months' ... Perhaps that's just the subset of the population that you've seen. When providing things (or services) for free, you get different people than when you charge. They typically tend to be the people who aren't willing to pay. Those who -are- willing to pay will generally look up a computer shop in the phone book and use that, instead of looking for a free service.
  
  It may have taken your 'customers' (can't think of a better word) 3-4 months to find you and their budget wouldn't allow them to fix a toy.
  
  I used to work at a computer shop, but haven't for about a year and a half now, so things have changed a bit I'm sure. But even then, if someone's computer was getting slow, they generally said it had been slow for a while, but finally got bad enough to do something about it in the last month or so. Anyone that had waited 3 months generally turned their computer on only when they absolutely needed it.
  
  As they say, 'the plural of anecdote isn't data', and we've clearly had very different experiences. I still think that botnets overloading a computer will make it be repaired faster and ultimately hurt botnets.
  
  --
  "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
ID's the *attacker* by nurb432 · 2007-01-27 01:30 · Score: 1

Unlikely. Its more like they ID the comprised machine the attacker is using.

Bad idea.

--
---- Booth was a patriot ----
1. Re:ID's the *attacker* by eli+pabst · 2007-01-27 03:39 · Score: 1
  
  Agreed. This doesn't sound like a really well thought out plan. It's pretty doubtful that anyone doing large scale scanning is doing it directly from their home machine, but rather relay it through hosts on the bot net. So it's likely that they are really going to be accusing grandma and grandpa of cracking because they didn't patch their windows98 machine. I could see if they are trying to do something useful like dshield and informing people that their systems are cracked, but that doesn't sound like it here.
Yes ... and no. by khasim · 2007-01-27 02:56 · Score: 2, Informative

Publishing these IP addresses is complete rubbish. It'll point to some machine on the net along a chain of connections.
If the crackers know what they're doing, the logs on the proxy are going straight to /dev/nul so they don't ever leave a trace on the hard drive.

BUT there is a chance that the local law enforcement can put a sniffer on that connection at the ISP level and track the connection that way.

The major problems with that is ...
#1. Coordinating law enforcement efforts in various countries

#2. Educating the enforcement agencies in those countries

#3. Finally busting the cracker ... and charging him with what? The laws vary depending upon his country.

Even if all of that was accomplished, there would be another zombie master along in a few days to take over the vulnerable machines that are left behind.
quote is wrong by SaberTaylor · 2007-01-27 03:07 · Score: 1

http://www.dshield.org/ collaboratively collected ip addresses that were showing up in log files. At first you could search broadly but probably due to the various worms with backdoors such as CodeRed, they switched it to just looking up 1 ip address at a time.

--
If you need text styles to communicate then you don't have a message.
Project Honeypot by erica_ann · 2007-01-27 03:57 · Score: 1

I signed up at http://www.projecthoneypot.org/ for a similar type of aservice last year. This one is a distributed system for identifying spammers and the spambots they use to scrape addresses from your website.

This one shows Harvester Visits to Your Site(s), email Addresses Issued on Your Site(s), Spam Received at Your Addresses, and global statistics. They also show an ip list from harversters and track it.
Re:Good thing. by Technician · 2007-01-27 06:12 · Score: 1

Think about it; if most attacks are relayed through bots, and bots are vulnerable Windows machines, then this kind of effort is only publicizing lists of IPs where vulnerable Windows machines reside.

Not a problem. When 50 or so botnet herders all try to use the same pasture, the overgrazing will kill it off. Problem of zombies is solved as they melt down.

--
The truth shall set you free!
how effective? by bcrowell · 2007-01-27 06:22 · Score: 1

I wonder how effective this can really be. I get a lot of traffic on my server from clients that may be attempting to DOS me, or may just be running poorly behaved webscraper scripts, e.g., scripts looking for blogs and wikis they can spam, which end up requesting the same large URL three times in one second. So far I've been able to keep them from giving me a lot of downtime, through a combination of mod_evasive and some homebrewed scripting. When I do a reverse DNS on them, they typically look like they're just DHCP-assigned IP's from U.S. or overseas ISP's. Most likely many of these are zombie machines that are part of a botnet. I don't see how maintaining a blacklist of IP's is going to help, since they'll just be doing it from a different IP tomorrow.

--
Find free books.
1. Re:how effective? by loki_tiwaz · 2007-01-27 14:02 · Score: 0
  
  perhaps if the lists had a decay time so any given ip address is not on the list in 24 hours unless it is found to be a source of zombie activity. if this was integrated into a security defense system on webservers or whatever, when a listed ip attempts to send packets instead of passing it on, the data is dumped, sends back to the sender a message saying 'your computer is infected by a spam trojan, and will be blocked for another 10 hours if it continues to relay spam' and then dumbass user with zombie box scratches his head and gets annoyed and summons his/her nearest nerd and gets them to explain why they can't go to their favourite site anymore, and maybe even gets the nasty trojan removed. if they do it immediately, the net outcome is the next day they are cleared from the blacklist.
  
  spam is such a major problem now that an aggressive security stance is the only way it is going to be remedied. everyone knows about it, just not everyone knows how it happens. scary looking web pages telling users their computer appears to be a spambot would make people start to learn that all that lovely viagra advertising is coming from THEIR OWN COMPUTERS ultimately.
  
  it will take a massive and cohesive action by operators of major websites (especially ones which have discussions and email addresses - in other words virtually all websites nowadays apart from web stores) but if it were done spam would be virtually stamped out.
2. Re:how effective? by houstonbofh · 2007-01-27 18:32 · Score: 1
  
  Well, as a given ISP finds more and more of his IP addresses unable to get into more and more of the net, they may decide to start filtering the zombies at there gateway. Make them deal with there own spew... It worked for spam hosting domains. (But this was before spammers moved to bots nets. Actually it was WHY spammers moved to bot nets.)
Ok. I give up. Where's the list? by mnemotronic · 2007-01-27 07:49 · Score: 1

I must be in the brainless zone today. I cannot find this highly publicized and promoted list of IP numbers. We got articles, we got links, but IP numbers? Ogg not find. Ogg feeling stupid. Embarrass family. Ogg need know if his IP number on list, even though he regularly change router's WAN ethernet number, get new IP from glomcast. Ogg spend much time nmapping spammers. Running nessus. Ogg probably on someone's list as troublemaker. Ogg not care. Tired of UEC not from wild boar.

--
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Slight copy of another existing project by mrkitty · 2007-01-27 08:28 · Score: 2, Informative

http://www.webappsec.org/projects/

This project is already gathering data and will be publishing the results shortly.

--
Believe me, if I started murdering people, there would be none of you left.
Know-nothing user, but I like this idea! by quixote9 · 2007-01-27 09:47 · Score: 1

I'm one of those people who could be hosting a bot and not even know it. (Just for the record, I try to make sure I don't, but I have no guarantees of success.) I'd really LIKE a system that turned off the traffic WITH A WARNING MESSAGE ABOUT WHY. I could understand if they didn't tell me how to fix it, since that would presumably differ on different systems. It would be a relief to know that in spite of my ignorance, I didn't have to worry about being part of the problem.
Legal Defamation Info from EFF by chameleon_skin · 2007-01-27 11:26 · Score: 1

I've often wondered *exactly* what is required to prove defamation, so I did some digging.
This is from the EFF, giving good guidelines on what constitutes defamation.
Note that what makes this really tricky for the online world is that in most cases defamation is a state matter, not a Federal one, making jurisdiction a tough issue. Different states have different qualifications for defamation, one of the most relevant being whether or not the defendant knowingly made false statements about the plaintiff.
As an example, note the qualifications for defamation in Minnesota
Re:Good thing. by Short+Circuit · 2007-01-27 12:13 · Score: 1

I'll believe it when I see it.

More likely, botnet software will start incorporating anti-malware functionality targetting competing bots.

--
tasks(723) drafts(105) languages(484) examples(29106)
My list by id · 2007-01-27 14:50 · Score: 1

Every time someone spams/annoys/generally pisses me off I add them to a block list

http://fu.ckers.org/fuckers.txt
Legality of honeypots by harshmanrob · 2007-01-28 02:05 · Score: 1

I work at a pretty large multi-national and I have talked with the lawyers about honeypots from time to time and basically they are divided amongst themselves of if the honeypots are even legal to begin with. One of them is convinced that a honeypot is entrapment.
Already being done by Salty+Pirate · 2007-01-28 07:41 · Score: 1

These guys are already doing this via web honeypot and pushing in real time the IP list to our firewall. http://www.autoshun.org/ It updates on the fly depending on the threat. Makes me sleep better at night.