[nsp-sec] Team Cymru services

Thu Apr 20 12:29:16 EDT 2017

Hello Hank,

It’s good to hear from you.  I hope you’re doing well and enjoyed the Passover holiday with friends and family!

As you’ve pointed out, some of the feed components previously shared with the community have dwindled in content.  That’s partly by design as the CNC feeds were deprecated a few years ago for a new commercial offering we created.  The previous feeds are still created automatically but many of them do not see many additions due to our internal migration to a new feed mechanism.

The DDoSRS service should still be operating though.  Given the difference between the feed and the BGP sessions, I’ll wager something broke on our end plumbing-wise.  We’ll get started investigating that ASAP.  Additionally,  I’d like to point out our other community offering in that space called UTRS that is similarly helpful and available to the community.

https://www.team-cymru.org/UTRS/

A question for the community: What would make it easier to submit new entries to the DDoSRS for everyone?  I ask because we’ve been the sole data contributor to the service for the last five or six years.  While we used to receive requests to have C2 added, we haven’t received one in a very, very, long time.  Like anything else community-based, it takes a community effort for things like this to succeed.  We’re keen to know how we can help all of you help us in helping the community.

I’ll investigate now why we have disparity between the feed and the service.

Thanks!
-Dave

---
Dave Monnier
Team Cymru Fellow
https://www.team-cymru.org/
PGP: https://www.cymru.com/dmonnier/0x7C1AAE55_pub.asc

> On Apr 20, 2017, at 9:08 AM, Hank Nussbacher <hank at efes.iucc.ac.il> wrote:
> 
> ----------- nsp-security Confidential --------
> 
> Probably opening a can of worms but that kind of never stopped me. :-)
> 
> In a galaxy far far away and a long time ago, there were a number of
> services that Team Cymru provided to this specific forum:
> https://www.cymru.com/nsp-sec/
> Some, like:
> https://www.cymru.com/nsp-sec/httpcnc/
> which have kind of died quietly:
> https://www.cymru.com/nsp-sec/httpcnc/httpcnc_v2.txt
> 
> Some continue to live on:
> https://www.cymru.com/nsp-sec/MalwareURL/malwareurl.txt
> https://www.cymru.com/nsp-sec/malwareflow/avlist.txt
> https://www.cymru.com/nsp-sec/malwareflow/flowlist_v2.hash.txt
> 
> But one in particular recently got my attention:
> https://www.cymru.com/nsp-sec/DDoS-RS/
> This is probably the oldest and most trustworthy of all feeds available
> to the community.  But, when I look at the file available online:
> https://www.cymru.com/nsp-sec/DDoS-RS/ddos-rsv2.txt
> with its 26 entries, it doesn't match at all the BGP feed I get with 237
> current entries.  How come?
> 
> Now for looking to the future: many of us still have our BGP peer in
> place.  It null-routes the "bad" /32s Team Cymru provides.
> Nowadays there are many verified /32 C&Cs out there from any number of
> recent announcements, available in lists from US-CERT, or any other
> trustworthy organization.  How can we leverage that info and get it
> added to the Team Cymru feed for auto-blocking of these known and
> verified bad C&Cs?
> 
> Thanks,
> Hank
> 
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20170420/d5c215fc/attachment.sig>