[Dshield] Dalnet being uses as a C&C server

Gary gary at dal.net
Wed Jun 20 19:45:42 GMT 2007


On DALnet, the team responsible for handling botnets,
exploited/compromised hosts is the Exploits Prevention team. The
abuse at dal.net address is for general abuse issues - the mails are
read, and forwarded on to the relevant teams. The quickest way to
contact the Exploits Prevention team is through our online form at
http://kline.dal.net/exploits/contact.htm. Reports submitted through
that form will get a quicker reply/resolution than those emailed to
abuse at dal.net.

You can also connect to DALnet and contact any member of the Exploits
Prevention team directly. The nicks of the team members are:

aHa
Alaskaguy
Bagheera
byrnsy
Car`a`carn
gary
Jim-mm
key
Kobi_S
lorddracula
robt
traumatic
WhatWhat
Zvonarek

Obviously, if there's a botnet operating from our servers, we don't
want it there. The sooner we hear about it, the sooner we can put them
out of business. It took us 5 hours to shut this one down, which is an
excellent response time. I've dealt with ISPs, with dedicated, paid
staff who don't react as quickly. Notifying us through either the
form, or contacting us directly on DALnet, would cut that time down
even further.

Please, don't hesitate to let us know if you find a botnet, or even
_suspect_ that there's a botnet operating on our servers. We take such
things very seriously, and will investigate immediately.

-gary
punch.va.us.dal.net
DALnet Exploits Prevention Team



On 20/06/07, Dalvenjah FoxFire <dalvenjah at dal.net> wrote:
> Hello,
>
> I'd just like to chime in on this thread. I want to point out that
> DALnet first received notice of this issue at abuse at dal.net at 4:45PM PDT;
> the channel involved was blocked from use at 10:05PM PDT. That's what I
> would consider an excellent 5 hour response time; it also appears from this
> thread that confirmation was received that action was taken at around
> the same time.
>
> The apparent continuing discussion of "well I don't know if I trust that,
> let's pursue blocking DALnet" troubles me. As someone who has for upwards
> of ten years tried to get ISPs to harden their configurations and remove
> abusers, I would be very happy with a 24 hour response time, let alone 5 hours.
>
> I would like to point out that DALnet is entirely volunteer, and it does
> not have a 24/7 NOC or abuse desk. We haven't always been perfect at
> responding to abuse issues, but we do try our best, and I like to think
> we're one of the better ones.
>
> I applaud what you guys are doing and appreciate that chasing botnets
> is a thankless job -- but I would ask you to reserve the harshest
> countermeasures for the truly nonresponsive sites, and not use the
> "well I've got a hammer, everything looks like a nail" approach.
>
> If there are still abusive users using DALnet in regards to botnets
> that we aren't aware of, please do e-mail abuse at dal.net or contact
> someone on IRC, and we'll address the issue.
>
> Thanks in advance,
>
> -dalvenjah
>
> --
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
> instructors, and a great tools and solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)
>


-- 
gary


More information about the list mailing list