Re: Botnet Reporting

[Gadi Evron <ge () linuxbox org>]

Carl Jongsma wrote:
> Long time lurker, first time poster.
>
> The discussion on Botnet reporting threw up some interesting points,  
> which warrant more investigation.
>
> The idea of a centralised collection of Botnet information sounds  
> great.  That sounds like the sort of thing we should be able to  create 
> and host.  With appropriate access controls, it could become a  valuable 
> statistics / handling site for botnets and drones (could  consider it 
> analogous to the Zone-h defacement archive).  Our initial  concept is as 
> follows;
>
> - User accounts mandatory for access to detailed information (IP  
> addresses, who reported, ISPs affected)
>
> - No advertising - Cost of support to be borne by us, and account  
> subscription fees (to keep the kiddies / bot masters out) -  Suggestion 
> of fee settings welcome
>
> - Web based archive with options for automated ISP notification (will  
> need anti-spam measures to prevent automated spamming)
>
> - User supplied listing of ISP / major network administrators /  
> security teams (where the notifications will be sent), and rated  
> responsiveness to notification.  This list alone would be a valuable  
> asset, providing a realistic sense of what sort of response /  reaction 
> a report is likely to receive.
>
> - ISP / administrator notifications can originate from our company  (at 
> least botnetlist () mycompany com), or by user who reports (users  can 
> choose to be anonymous when reporting).
>
> - Authentication parameters for accessing botnet is protected  
> information - releasable to affected ISP, and vetted users (i.e. not  
> all users will have access to this information - to keep out the  
> kiddies who have paid their fees for full access, and limits risk  
> exposure).
>
> - Dedicated subdomain to be set up to manage and control the list  
> (skiifwrald.com will shortly be changed to a more appropriate domain).
>
> Thoughts, suggestions, criticism?

Only good luck. There is always a place for more people to fight this fight.

There are 2 groups currently doing exactly this, though. If you choose 
to be a third I will help any way I can, otherwise you may choose to 
join one of these or pick a fight no one is fighting.
:)

        Gadi.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.