North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: botnets: web servers, end-systems and Vint Cerf

  • From: Peter Moody
  • Date: Fri Feb 16 00:16:34 2007
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=p9cRidEDWT5rDNjW5Irthw0TiWtCJqvSZAnKThdgT/yZ37VZ6wNAGYBbEm/9mjS0gbRcGg7o4wQcgLJ+quk82rzwxiLZvfyYOBliFaF/KlWuRAG64afK+8Aq4bH4uq5tuft73/rpadpUC9cs5uh3+fRtPNRQGxn+WB6Jx5XKZzk=

> systems were botted.  Just a little while back, Vint Cerf guesstimated that
> there's 140 million botted end user boxes.  Unless 100% of Google's servers
> are botted, there's no way there's that many botted servers. :)

I kept quiet on this for a while, but honestly, I appreciate Vint Cerf
mentioning this where he did, and raising awareness among people who can
potentially help us solve the problem of the Internet.

Still, although I kept quiet for a while, us so-called "botnet
experts" gotta ask: where does he get his numbers? I would appreciate some
backing up to these or I'd be forced to call him up on his statement.

My belief is that it is much worse. I am capable of proving only somewhat
worse. His numbers are still staggering so.. where why when how what? (not
necessarily in that order).

So, data please Vint/Google.

Dr. Cerf wasn't speaking for Google when he said this, so I'm not sure why you're looking that direction for answers.  But since you ask, his data came from informal conversations with A/V companies and folks actually in the trenches of dealing with botnet ddos mitigation.  The numbers weren't taken from any sort of scientific study, and they were in fact mis-quoted (he said more like 10%-20%).
so you go ahead an call him on it Gadi; you're a "botnet expert" after all.

> And the fact that web servers are getting botted is just the cycle of
> reincarnation - it wasn't that long ago that .edu's had a reputation of
> getting pwned for the exact same reasons that webservers are targets now:
> easy to attack, and usually lots of bang-for-buck in pipe size and similar.

You mean they aren't now? Do we have any EDU admins around who want to
tell us how bad it still is, despite attempts at working on this?

Dorms are basically large honey nets. :)

spoken like someone who's not actually spent time cleaning up a resnet. cleaning up a resnet must look downright impossible when you spend so much time organizing conferences.

(my opinions != my employer's, etc. etc.)