[nsp-sec] IMPORTANT: DDoS-RS Reminders

Tim Wilde twilde at cymru.com
Sun Dec 12 15:43:02 EST 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good afternoon teams,

It has been brought to our attention today that some Finnish news/blog
postings have referenced Team Cymru as the source of blocking of some of
the "Anonymous Operators" IRC servers, and, at one point, the anonops.eu
web host.  We felt this would be a good opportunity to remind all
NSP-SEC members about the DDoS-RS, its listing policies, and the
confidentiality surrounding it.

To avoid "TL:DR" syndrome, let me lead with the most important thing to
keep in mind: the information on the DDoS-RS, as well as its existence
and Team Cymru as the provider of it, is to be held strictly
confidential, and treated under NSP-SEC or stricter confidentiality
rules.  The DDoS-RS MUST NOT be discussed publicly or disclosed to
customers.  If you have concerned customers and need guidance as to how
to discuss the DDoS-RS listing with them in more generalized terms, or
need more information about the DDoS-RS listing, you are more than
welcome to contact Team Cymru yourself, but DO NOT CC the customer on
the communication or send them our information, you MUST act as the
middleman and remove any Team Cymru references from communications.

The DDoS-RS, or DDoS Route Server, is a service made available by Team
Cymru to NSP-SEC members as a BGP feed and as a text feed.  The DDoS-RS
lists known IRC botnet command & control (C&C) hosts, and is fully
human-vetted (entries are never added to the list without a human seeing
and confirming them first).  The text feed provides a large amount of
information about these hosts, including what we call the "services
bit", a flag indicating whether or not non-IRC services are known to
exist on a host.  These are usually web services.  The BGP feed, of
course, cannot provide all of this information, it is simply a list of
/32s provided via eBGP.  It is important to note, though, that any hosts
with the services bit set (ie, hosts with non-IRC services on them) are
NOT advertised via the BGP feed - consumers of the DDoS-RS will have to
use the text feed if they wish to take action on hosts with the services
bit set, as we feel the more conservative policy is best on the BGP feed.

You can read all of the details about the DDoS-RS in the NSP-SEC section
of our site, accessible with your NSP-SEC mailing list username and
password, here:

	https://www.cymru.com/nsp-sec/DDoS-RS/

As I mentioned above, and as mentioned on the DDoS-RS page, this
information must be kept strictly confidential, for a variety of
reasons.  Any violation of this confidentiality will be treated as a
violation of NSP-SEC confidentiality rules and may be reported to the
NSP-SEC moderation team and/or membership for their information and
possible action.

At this time we are not 100% certain where the most recent breach of
DDoS-RS confidentiality originated.  If anyone would like to step
forward privately as the organization that may have leaked the data, we
would welcome and appreciate that.  We will be performing our own
investigations to attempt to determine the source of the leak and will
take appropriate actions if we can make a determination.

Finally, to address the "Anonymous Operators" question again, yes, we
have listed many of the "Operation Payback" IRC C&C hosts in the
DDoS-RS, as they meet the above listed criterion - they are IRC botnet
C&C hosts, clearly, verifiably, and overtly being used to coordinate
illegal DDoS attacks.  It was brought to our attention earlier today
that one of the hosts we had previously listed was also providing web
services, at which time we "flipped the services bit" on that specific
host, removing the BGP route (but leaving it in the text list, with that
new services bit value listed).  Anyone on NSP-SEC is welcome (and
encouraged) to let us know when they find a host in the DDoS-RS that
provides non-IRC services, and we will be happy to flip the services bit.

If anyone has any questions on any of this, please feel free to contact
me directly, the whole team at team-cymru at cymru.com, or to follow-up
on-list if you believe that is appropriate.

Best regards,
Tim Wilde for Team Cymru

- -- 
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0FM9YACgkQluRbRini9thz/ACeNqzkpoReMZ5Jjn3+mz17eVw7
SoYAoIBdGjJ0N5JKnQ8NX6yU6bKaTqOF
=kZ9V
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list