Home page logo

nanog logo nanog mailing list archives

Re: Reporting botnets?
From: Martin Hannigan <hannigan () world std com>
Date: Tue, 10 Jan 2006 17:25:54 -0500 (EST)

Please advise, where to can I report botnet control activities?
I'm from overseas and interested if there are some law enforcement
organizations in US who may handle these issues?

I assume it is illegal business in US, and I have enough evidence
how botnet control sites command our trojaned customer PC's to send
spam and activate DDoS attacks.

I think your best bet is to report it first to your local authorities
and then report it to the ISP that the C&C is sitting on. There are
techniques that have been established over time and a few things
you can do to mitigate, at least temporarily, (1) identify it and any 
others (2) make sure that taking action won't cause collateral damage
or important stuff runs on it and blackhole it, (3) contact the dns
provider and ask them to (a) lock out the user, (b) extend the TTl 
to the max that their software allows, (c) change the C&C resolution
to 127.0.03. That will at least do some level of mitigation and allow
you to clean up the mess while you figure out how you want to pursue

I'm sure you'll also hear from some people on this list who can assist.

Botnets are a dime a dozen. It's good to kill the C&C's and it's
good to report them to LEA's, but from there, all bets are off. 

I believe any action would depend on exactly what they were doing
with them. For example, if it's a bunch of skiddies fighting over
who controls an iRC channel and they are DDOS'ing each other, well,
that may not get much attention.

Hope that helps.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]