[nsp-sec] Team Cymru services
Hank Nussbacher
hank at efes.iucc.ac.il
Thu Apr 20 09:08:02 EDT 2017
Probably opening a can of worms but that kind of never stopped me. :-)
In a galaxy far far away and a long time ago, there were a number of
services that Team Cymru provided to this specific forum:
https://www.cymru.com/nsp-sec/
Some, like:
https://www.cymru.com/nsp-sec/httpcnc/
which have kind of died quietly:
https://www.cymru.com/nsp-sec/httpcnc/httpcnc_v2.txt
Some continue to live on:
https://www.cymru.com/nsp-sec/MalwareURL/malwareurl.txt
https://www.cymru.com/nsp-sec/malwareflow/avlist.txt
https://www.cymru.com/nsp-sec/malwareflow/flowlist_v2.hash.txt
But one in particular recently got my attention:
https://www.cymru.com/nsp-sec/DDoS-RS/
This is probably the oldest and most trustworthy of all feeds available
to the community. But, when I look at the file available online:
https://www.cymru.com/nsp-sec/DDoS-RS/ddos-rsv2.txt
with its 26 entries, it doesn't match at all the BGP feed I get with 237
current entries. How come?
Now for looking to the future: many of us still have our BGP peer in
place. It null-routes the "bad" /32s Team Cymru provides.
Nowadays there are many verified /32 C&Cs out there from any number of
recent announcements, available in lists from US-CERT, or any other
trustworthy organization. How can we leverage that info and get it
added to the Team Cymru feed for auto-blocking of these known and
verified bad C&Cs?
Thanks,
Hank
More information about the nsp-security
mailing list