North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Are botnets relevant to NANOG?

  • From: Gadi Evron
  • Date: Fri May 26 22:10:36 2006


Time differentials, time-limiting, proxies and NATs, dynamic addresses,
different malware, different OS, etc. are all things taken into acount. At
some point you just need to have a best guess..

When the situation was by far less horrible, the numbers still didn't

Wasn't it your countrymen who said why should you need to be able to
destroy the world a thousand times over when once is more than enough? I
think 3 times for redundancy sounds like fun.

The numbers are for years now not relevant. I often count active groups,
active attacks per time-frame, money made/lost and number of user ID's
compromised / sites targetted.


On Fri, 26 May 2006, John Kristoff wrote:

> On Fri, 26 May 2006 11:50:21 -0700
> Rick Wesson <[email protected]> wrote:
> > The longer answer is that we haven't found a reliable way to identify 
> > dynamic blocks. Should anyone point me to an authoritative source I'd
> > be happy to do the analysis and provide some graphs on how dynamic 
> > addresses effect the numbers.
> I don't know how effective the dynamic lists maintained by some in
> the anti-spamming community is, you'd probably know better than I,
> but that is one way as decribed in the paper.  In the first section
> of the paper I cited they lists three methods they used to try to
> capture stable IP addresses.  Summarizing those:
>   1. reverse map the IP address and analyze the hostname
>   2. do same for nearby addresses and analyze character difference ratio
>   3. compare active probes of suspect app with icmp echo response
> None of these will be foolproof and the last one will probably only
> be good for cases where there is a service running where'd you'd
> rather there not be and you can test for it (e.g. open relays).
> There was at least one additional reference to related work in that
> paper, which leads to more still, but I'll let those interested to
> do their own research on additional ideas for themselves.
> > also note that we are using TCP fingerprinting in our spamtraps and 
> > expect to have some interesting results published in the august/sept 
> > time frame. We won't be able to say that a block is dynamic but we
> > will be able to better understand if we talk to the same spammer from 
> > different ip addresses and how often those addresses change.
> Will look forward to seeing more.  Thanks,
> John