[nsp-sec] Possible 700k+ node botnet

Thu Oct 2 11:48:54 EDT 2008

Hi Dave,

> Can we bump the upload limit on the nsp-sec upload portion of the cymru
> site? I can't even upload the list there.

Are you referring to https://asn.cymru.com/nsp-sec/ ?

It takes a file of just Ips, no ASN formatting necessary.  This is the
format one would use to send to whois.cymru.com manually.

# cat asn-2008-09-30.txt | awk -F \| '{print $2}' | sort | uniq | wc -l
  551575

Looks like the file has 200K of IP Dups.  Taking the Ips out of the file,
uniquing them and uploading them to the web page should do the trick.

# cat asn-2008-09-30.txt | awk -F \| '{print $2}' | sort | uniq >
/tmp/asn.txt

# du -h /tmp/asn.txt
10.0M   /tmp/asn.txt

The upload limit has been raised to 15MB which should do the trick. FYI
timestamps are ideal and they are supported as a second field in the data
after the IP.  Be warned, this takes a bit to process once the file is
uploaded.

Actually, it might be too big of a file for it to process in a reasonable
length of time.  Your mileage may vary as to how large of a file to upload
and how long it takes to get a fully formatted response...

For really large datasets such as this one, generally I recommend splitting
the IPs up after processing into individual text files, one per ASN so that
each person doesn't have to download the full list for their ASNs.  This is
a feature not yet added to the GUI.

-- steve

> 
> Error! 413 Request entity too large. 5MB maximum
> 
> In the interim, I've put the ASN lookup on Danny's server.
> 
> http://www.tcb.net/asn-2008-09-30.txt.gz
> 
> -dave
> 
> 
> On Wed, Oct 01, 2008 at 04:10:35PM -0500, Rob Thomas wrote:
>> ----------- nsp-security Confidential --------
>> 
>> Possibly related:
>> 
>> <http://www.anchiva.com/virus/view.asp?vname=Worm/Sohanad.AACA@im>
>> <http://www.threatexpert.com/report.aspx?uid=b68593a2-5121-4391-b714-54765980
>> 8785>
>> 
>> 
>> -- 
>> Rob Thomas
>> Team Cymru
>> http://www.team-cymru.org/
>> cmn_err(CEO_PANIC, "Out of coffee!");
>> 
>> 
>> 
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>> 
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security
>> counter-measures.
>> _______________________________________________
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com