Home page logo
/

nanog logo nanog mailing list archives

Re: Sobig.f surprise attack today
From: Mike Tancsa <mike () sentex net>
Date: Thu, 28 Aug 2003 16:12:11 -0400


At 12:54 PM 28/08/2003 -0700, Dan Hollis wrote:
> Alternatively, perhaps we could, instead, publish an INFECTED SYSTEMS
> blacklist
> based on such connections to a honeypot.  Any system which made the correct
> request could then have it's address published via BGP or DNS for ISPs and
> the like to do as they wish.

an infected host dnsrbl doesnt sound like a bad idea...

I dont think this would work too well. The users who are infected often think something is wrong because their connection and computer are not working quite right. So they disconnect / reconnect / reboot so they burn through quite a few dynamic IP addresses along the way.

---Mike

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]