[Dshield] Dalnet being uses as a C&C server

Tomas L. Byrnes tomb at byrneit.net
Wed Jun 20 19:10:38 GMT 2007

No-one was advocating blocking them, unless the handlers determined that
they were non-responsive. What I was advocating was that this be handled
through the proper channel, by trained incident handlers.

I don't think ANYONE said "let's continue to pursue blocking DALnet".

Escalating something to the handlers is very different than blocking
someone. It's getting the information to the right people, and letting
them do what they do best. 

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Dalvenjah FoxFire
> Sent: Wednesday, June 20, 2007 11:05 AM
> To: list at lists.dshield.org
> Subject: Re: [Dshield] Dalnet being uses as a C&C server
> Hello,
> I'd just like to chime in on this thread. I want to point out 
> that DALnet first received notice of this issue at 
> abuse at dal.net at 4:45PM PDT; the channel involved was blocked 
> from use at 10:05PM PDT. That's what I would consider an 
> excellent 5 hour response time; it also appears from this 
> thread that confirmation was received that action was taken 
> at around the same time.
> The apparent continuing discussion of "well I don't know if I 
> trust that, let's pursue blocking DALnet" troubles me. As 
> someone who has for upwards of ten years tried to get ISPs to 
> harden their configurations and remove abusers, I would be 
> very happy with a 24 hour response time, let alone 5 hours.
> I would like to point out that DALnet is entirely volunteer, 
> and it does not have a 24/7 NOC or abuse desk. We haven't 
> always been perfect at responding to abuse issues, but we do 
> try our best, and I like to think we're one of the better ones.
> I applaud what you guys are doing and appreciate that chasing 
> botnets is a thankless job -- but I would ask you to reserve 
> the harshest countermeasures for the truly nonresponsive 
> sites, and not use the "well I've got a hammer, everything 
> looks like a nail" approach.
> If there are still abusive users using DALnet in regards to 
> botnets that we aren't aware of, please do e-mail 
> abuse at dal.net or contact someone on IRC, and we'll address the issue.
> Thanks in advance,
> -dalvenjah
> --
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 
> courses, SANS top instructors, and a great tools and 
> solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)

More information about the list mailing list