[nsp-sec] IMPORTANT: DDoS-RS Reminders

[Tim Wilde]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/13/2010 4:11 AM, Huopio Kauto wrote:
> Now the tricky bit here: if an IRC server is used to C&C activity
> _and_ as a discussion forum for a whatever group/groups, what is the
> criteria
> to list or not to list?

Good question, thanks Kauto!

This generally comes down to a judgment call.  We try to weigh the
relative values of the activity we can observe on a host - is it
primarily a C&C, primarily a chat host?  Where does the balance fall?
We also factor in the type of chatting that appears to be going on - is
it also about illegal activities (coordinating the bot activities, other
hacking/carding/warez/etc) or is it totally unrelated?  If there's a lot
of unrelated chat going on we wouldn't list a server, to avoid
collateral damage.

In the case of the Anonymous folks specifically, we judged the network
to be single-purpose; it exists solely for the purpose of coordinating
attacks, whether that's being done by bots receiving commands or people
chatting is somewhat irrelevant in this particular case.  I understand
that this may make things a little difficult from a provider's
perspective when attempting to notify customers (in that a host
connecting to these IPs may not necessarily be a bot, per se), but
again, still, there is only one real purpose to be connecting to this
network, and that's to discuss and coordinate illegal attacks, so we
believe that listing them is the correct thing to do.

I hope this helps clarify, and welcome further questions/discussion!

Best regards,
Tim

- -- 
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0GIMIACgkQluRbRini9tjh4QCfcA9qM0ppVkEo9mEJa1TvB0yc
xH8AnRD8rZxwe1zVbsHTu9D3Nh3fQpU3
=6z9M
-----END PGP SIGNATURE-----