North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry]

  • From: Gadi Evron
  • Date: Tue Feb 20 12:32:00 2007

On Tue, 20 Feb 2007, Rich Kulawiec wrote:

Hi Rich,

<snip good stuff> thanks for your input, Rich. As always, quite

> BTW #2: All of this leaves open an important and likely-unanswerable
> question: how many systems are compromised but not as yet manifesting
> any external sign of it?  Certainly any competent adversary would hold
> a considerable fraction of its forces in reserve.  (If it were me,
> that fraction would be at least "the majority".)

I stopped really counting bots a while back. I insisted, along with many
friends, that counting botnets was what matters. When we reached thousands
we gave that up.

We often quoted anti nuclear weapons proliferation sentiments from the
cold war, such as: "why be able to destroy the world a thousand times
over if once is more than enough?" we often also changed it to say "3
times" as redudancy could be important. :>

Today, it is clear the bad guys can get their hands on as many bots as
they need, or in a more scary scenario, want. They don't need that many.

As a prime example, I believe that VeriSign made it public that only 200
bots were used in the DNS amplification attacks against them last
year. Even if they missed one, two or even three zeroes, it speaks quite a
bit as to our fragile infrastructure.

If brute force alone can acheive this, what of application
attacks, perhaps even 0days? :)

Still, we keep surviving and we will still be here next year, too, with
bigger and bigger trucks and tubes to hold the Internet together, whether
for regular or malicious usage. eCommerce and online banking might not
survive in a few years if people such as us here don't keep doing what we
do, but that part of it is off topic to NANOG.

10 years ago, almost no one knew what botnets were. Counting and
measuring seemed to be very important 3 years ago, and to governments and
academics, and even a year ago. Today it is just what funding for botnet
research is based on ( :) ), still, I don't really see the
relevance. Botnets are a serious issue, but they are only a sympthom
of the problem called the Internet.

Sitting on different networks and testing them for how many malicious
scans happen every second/minute/hour/day and then checking that against
how many machines with trivially exploited vulnerabilities exist on these
networks can fill in some of the puzzlea, but the delta from what we may
see if we consider email attachments and malicious web sites...

The factor may be quite big.

We will never be able to count how many bots exist. We can count limited
parts of that pool such as those seen in spam. Those are several millions
every day (which should be scary enough) but not quite the right number.

And this is before we get into the academic off-topic discussion of what a
bot actually is, which after almost 11 years of dealing with these I find
difficult to define. Is it an IP address? A computer? Perhaps an instance
of a bot (and every machine could have even hundreds).

Welcome to the realm of Internet security operations and the different
groups and folks involved (and now industry). It is about Internet
security rather than this or that network security or this and that sample

> ---Rsk