Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN
Hello, Jeffery and other NANOC members. Sorry for making another thread - I'm not too experienced in mailgroups. The problem is in structure of new generation advert or banner networks - they allow to return other subject traffic to the partner's URL. And this could also be used to redirect the traffic to different exploits (a simple way to compromise a banner network or hosting provider). This is extremely hard to monitor or to take preventive measures in case of a large banner or advert network. Unfortunately Google doesn't provide a detailed report on their check results: this could allow the resource's owner easily block their partners in that case. Anyway I'll contact the owner of this resource (91.202.63.96) now in order to perform a check of their partners. I suppose, just having a few domains would be enough. The other resource is situated on the public ip of our reseller - I'll ask him to check this domain, too. Thank you for that information, I'll report on that issue later. Kanak Akrino Support Team 2009/11/7 Jeffrey Lyon > Kanak, > > Can you please detail your plans to correct the malware issues on your > network? (reference: > http://google.com/safebrowsing/diagnostic?site=AS:44571 ). > > Best regards, Jeff > > > > [offlist communication snipped for privacy] > > > > > Kanak > > > > Akrino Abuse Team > > > > > > -- > Jeffrey Lyon, Leadership Team > jeffrey.l...@blacklotus.net | http://www.blacklotus.net > Black Lotus Communications of The IRC Company, Inc. > > Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 - > 21 to find out how to "protect your booty." >
Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN
2009/11/6 Jeffrey Lyon > The primary issue is that we receive a fair > deal of customers who end up with wide scale DDoS attacks followed by > an offer for "protection" to move to your network. In almost every > case the attacks cease once the customer has agreed to pay this > "protection" fee. Every one of these attacks was nearly identical in > signature. > By the way, Jeffrey, we can provide reports on HTTP-flood because our system builds it's signatures on http traffic dumps like === IP: 88.246.76.65, last receiving time: 2009-10-25T23:07:37+03:00, many identical requests (length 198): GET / HTTP/1.1 Accept: */* Accept-language: en-us User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1 Host: [censored] Connection: Keep-Alive So using this info we can map botnets, learn different attacks and in collaboration with ISPs - find CCs of new botnets. And what are your accusations of the identical signatures based on when simple Staminus resellers (like you are) do not have access to their signatures database? Kanak Akrino Abuse Team
Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN
Greetings! By the way, Jeffrey, by the 24th of October, when you posted the information that the RBN is located in our networks we couldn't even know about any malware redirectors on our clients resources - http://www.stopbadware.org/reports/asn/44571. I'm trying to solve the Google SB issue (still under investigation both by our team and the resource owner, but NB - it's only 1 ip from 345 sites tested by Google ) but one little question - how did you get to know about the malware abuse _before_ the actual report on stopbadware.org or on google? What were your conclusions based on? Why didn't you write to the abuse email the way it's traditionally done in the network operators' sphere? Kanak Akrino Abuse Team
