North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Are botnets relevant to NANOG?
On Tue, 30 May 2006 10:02:37 BST, [email protected] said: > For instance, you only published data for two > categories of ASN. Where is the tier-1 data? I suspect that "tier-1" botnet data isn't at all interesting, because in general, "tier-1" providers have almost no address space containing the sort of machines that end up in botnets. For instance, look at AS701 http://www.cidr-report.org/cgi-bin/as-report?as=AS701&view=4637 Lots of /24's, but even if you add it all up, barely a single /9 if that much *total*. And I bet most of those /24's just have a handful of routers on them. > And numbers should cover a 7-day period, not > 5 days. In addition, for each category you should > provide a fixed cutoff. The CIDR report shows > the top 30 ASNs. If we're playing the "shame game" the way the CIDR report is, an interesting metric might be "bots divided by announced address space" (so for instance AS1312 would have it 6 or 10 bots(*) divided by its 2 /16s). I wonder if the numbers for "consumer broadband" versus "universities" will look significantly different when done that way. (*) Yes, our AS isn't perfectly clean. We've got a resnet in our address space, where the best we can do is provide user education and play whack-a-mole as we find them....