North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry]
On Tue, 20 Feb 2007, Rich Kulawiec wrote: Hi Rich, <snip good stuff> thanks for your input, Rich. As always, quite interesting. > > BTW #2: All of this leaves open an important and likely-unanswerable > question: how many systems are compromised but not as yet manifesting > any external sign of it? Certainly any competent adversary would hold > a considerable fraction of its forces in reserve. (If it were me, > that fraction would be at least "the majority".) I stopped really counting bots a while back. I insisted, along with many friends, that counting botnets was what matters. When we reached thousands we gave that up. We often quoted anti nuclear weapons proliferation sentiments from the cold war, such as: "why be able to destroy the world a thousand times over if once is more than enough?" we often also changed it to say "3 times" as redudancy could be important. :> Today, it is clear the bad guys can get their hands on as many bots as they need, or in a more scary scenario, want. They don't need that many. As a prime example, I believe that VeriSign made it public that only 200 bots were used in the DNS amplification attacks against them last year. Even if they missed one, two or even three zeroes, it speaks quite a bit as to our fragile infrastructure. If brute force alone can acheive this, what of application attacks, perhaps even 0days? :) Still, we keep surviving and we will still be here next year, too, with bigger and bigger trucks and tubes to hold the Internet together, whether for regular or malicious usage. eCommerce and online banking might not survive in a few years if people such as us here don't keep doing what we do, but that part of it is off topic to NANOG. 10 years ago, almost no one knew what botnets were. Counting and measuring seemed to be very important 3 years ago, and to governments and academics, and even a year ago. Today it is just what funding for botnet research is based on ( :) ), still, I don't really see the relevance. Botnets are a serious issue, but they are only a sympthom of the problem called the Internet. Sitting on different networks and testing them for how many malicious scans happen every second/minute/hour/day and then checking that against how many machines with trivially exploited vulnerabilities exist on these networks can fill in some of the puzzlea, but the delta from what we may see if we consider email attachments and malicious web sites... The factor may be quite big. We will never be able to count how many bots exist. We can count limited parts of that pool such as those seen in spam. Those are several millions every day (which should be scary enough) but not quite the right number. And this is before we get into the academic off-topic discussion of what a bot actually is, which after almost 11 years of dealing with these I find difficult to define. Is it an IP address? A computer? Perhaps an instance of a bot (and every machine could have even hundreds). Welcome to the realm of Internet security operations and the different groups and folks involved (and now industry). It is about Internet security rather than this or that network security or this and that sample detection. > > ---Rsk > Gadi.