North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Are botnets relevant to NANOG?

  • From: Valdis.Kletnieks
  • Date: Tue May 30 09:28:28 2006

On Tue, 30 May 2006 10:02:37 BST, [email protected] said:

> For instance, you only published data for two
> categories of ASN. Where is the tier-1 data?

I suspect that "tier-1" botnet data isn't at all interesting, because
in general, "tier-1" providers have almost no address space containing
the sort of machines that end up in botnets.  For instance, look at AS701

Lots of /24's, but even if you add it all up, barely a single /9 if
that much *total*.  And I bet most of those /24's just have a handful
of routers on them.

> And numbers should cover a 7-day period, not
> 5 days. In addition, for each category you should
> provide a fixed cutoff. The CIDR report shows
> the top 30 ASNs. 

If we're playing the "shame game" the way the CIDR report is, an
interesting metric might be "bots divided by announced address space"
(so for instance AS1312 would have it 6 or 10 bots(*) divided by its
2 /16s).  I wonder if the numbers for "consumer broadband" versus
"universities" will look significantly different when done that way.

(*) Yes, our AS isn't perfectly clean.  We've got a resnet in our
address space, where the best we can do is provide user education and
play whack-a-mole as we find them....

Attachment: pgp00014.pgp
Description: PGP signature