[nsp-sec] IMPORTANT: DDoS-RS Reminders

SURFcert - Peter p.g.m.peters at utwente.nl
Mon Dec 13 07:59:17 EST 2010 

SURFcert - Peter wrote on 2010-12-13 13:25:
> ----------- nsp-security Confidential --------
>
>
>
> Huopio Kauto wrote on 2010-12-13 10:11:
>> ----------- nsp-security Confidential --------
>>
>>> The text feed provides a large amount of
>>> information about these hosts, including what we call the "services
>>> bit", a flag indicating whether or not non-IRC services are known to
>>> exist on a host.  These are usually web services.  The BGP feed, of
>>> course, cannot provide all of this information, it is simply a list of
>>> /32s provided via eBGP.  It is important to note, though, 
>>> that any hosts
>>> with the services bit set (ie, hosts with non-IRC services on 
>>> them) are
>>> NOT advertised via the BGP feed - consumers of the DDoS-RS 
>>> will have to
>>> use the text feed if they wish to take action on hosts with 
>>> the services
>>> bit set, as we feel the more conservative policy is best on 
>>> the BGP feed.
>> Now the tricky bit here: if an IRC server is used to C&C activity
>> _and_ as a discussion forum for a whatever group/groups, what is the
>> criteria
>> to list or not to list?
> Regarding this I have complaints from a customer who is claiming the IRC
> servers he is using are legitimate. He was blocked because his computer
> contacted them. The servers in question are 173.192.206.141 and
> 178.63.172.193.
New information seems to indicate these (and others) are IRC servers
used by Anonymous to discuss Wikileaks and things surrounding that. If
that is the case I think they should be considered false-positives. And
yes, people downloading and using LOIC should be handled. But not the
people discussing.

But this is just my humble opinion.

-- 
Peter Peters                     /------\           SURFnet bv
SURFcert                         | SURF |           cert.surfnet.nl
cert at surfnet.nl                  \-----\ \-----\    Postbus 19035
PGP Key ID 0x5A52C966                   | CERT |    NL-3501 DA  Utrecht
+31 30 2305 305                         \------/    fax: +31 30 2305 329


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 543 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20101213/3d14581d/attachment-0001.sig>

More information about the nsp-security mailing list