>>>________________________________________ >>>From: Rich Kulawiec [...@gsp.org] >>>Sent: Sunday, March 21, 2010 8:43 PM >>>To: nanog@nanog.org >>>Subject: Re: NSP-SEC >>> >>>There is, by the way, no relief from this due to events like the >>>recent bust of the Mariposa botnet (13M systems);
The public numbers advertised were 13M _IPs_ connecting to a sinkhole over more than a month's time. When I've had visibility into other large botnets (srizbi, rustock, mega-d), I was consistently seeing a 10 to 1 IPs-to-unique-bots count over a time period of a week. Happy to make the raw pcap data available to anyone who is curious. The UCSB guys showed similar results in their excellent Torpig paper. http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf My unscientific finger-in-the-wind would put it at well under 1M when you are talking a month and a half of monitoring IP connections. Regards, Alex Lanstein
