North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Are botnets relevant to NANOG?

  • From: Peter Dambier
  • Date: Fri May 26 16:10:54 2006

John Kristoff wrote:
On Fri, 26 May 2006 11:50:21 -0700
Rick Wesson <[email protected]> wrote:


The longer answer is that we haven't found a reliable way to identify dynamic blocks. Should anyone point me to an authoritative source I'd
be happy to do the analysis and provide some graphs on how dynamic addresses effect the numbers.
I don't know how effective the dynamic lists maintained by some in
the anti-spamming community is, you'd probably know better than I,
but that is one way as decribed in the paper.  In the first section
of the paper I cited they lists three methods they used to try to
capture stable IP addresses.  Summarizing those:

  1. reverse map the IP address and analyze the hostname
  2. do same for nearby addresses and analyze character difference ratio
  3. compare active probes of suspect app with icmp echo response
Tool to help you.
Try natnum form the IASON tools.

 $ natnum echnaton.serveftp.com

host_look("84.167.246.104","echnaton.serveftp.com","1420293736").
host_name("84.167.246.104","p54A7F668.dip.t-dialin.net").

You can feed natnum a hostname or an ip-address or even a long integer.

If you want to dump an address range use name2pl.

 $ name2pl 84.167.246.100 8

host_name("84.167.246.100","p54A7F664.dip.t-dialin.net").
host_name("84.167.246.101","p54A7F665.dip.t-dialin.net").
...
host_name("84.167.246.106","p54A7F66A.dip.t-dialin.net").
host_name("84.167.246.107","p54A7F66B.dip.t-dialin.net").

Dumps you 8 ip-addresses starting from 84.167.246.100.
Without the 8 you will get 256

http://iason.site.voila.fr/
http://www.kokoom.com/

Sorry the sourceforge still gives me hickups :)
Sorry will compile and run on UNIX, BSD, Linux, MAC OS-X only.

None of these will be foolproof and the last one will probably only
be good for cases where there is a service running where'd you'd
rather there not be and you can test for it (e.g. open relays).

There was at least one additional reference to related work in that
paper, which leads to more still, but I'll let those interested to
do their own research on additional ideas for themselves.


also note that we are using TCP fingerprinting in our spamtraps and expect to have some interesting results published in the august/sept time frame. We won't be able to say that a block is dynamic but we
will be able to better understand if we talk to the same spammer from different ip addresses and how often those addresses change.
Will look forward to seeing more.  Thanks,

John
Kind regards
Peter and Karin

--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: [email protected]
mail: [email protected]
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/