Re: 10,352 active botnets (was Re: register.com down sev0?)

[Sean Donelan]

On Thu, 26 Oct 2006, Gadi Evron wrote:

Jose may be a bit conservative with numbers, but he has good data and
shares it, which is more than I can say for some people.


http://www.asu.edu/security/aware/2005/lippard.htm

Re: 10,352 active botnets (was Re: register.com down sev0?

[Jack Bates]

Matthew Crocker wrote:



Maybe the new slogan needs to be "Save the Internet! Train the chimps!"


Shouldnt  'ip verify unicast source reachable-by rx' be a default 
setting on all interfaces?  Only to be removed by trained chimps?




Only if you wish to break existing configurations during IOS upgrades. I could 
see ip verify unicast source reachable-by any (less breakage), but rx will kill 
all types of good asymmetric routing. The largest breakage I have seen caused by 
rx is the link IP breakage caused by the router responding out multiple 
interfaces. It's also a problem when customers are straddling the fence, 
purposefully using asymmetric routing.


It would be nicer to have router support where a packet is acceptable if it's 
network is acceptable in the BGP (or IGP) policy/filter (ie, network may not be 
there, but it is allowed) as well as the link addresses associated with the BGP 
(or IGP) peer.


-Jack

Re: 10,352 active botnets (was Re: register.com down sev0?

[Matthew Crocker]

Maybe the new slogan needs to be "Save the Internet! Train the  
chimps!"


Shouldnt  'ip verify unicast source reachable-by rx' be a default  
setting on all interfaces?  Only to be removed by trained chimps?


-Matt

--
Matthew S. Crocker
Vice President
Crocker Communications, Inc.
Internet Division
PO BOX 710
Greenfield, MA 01302-0710
http://www.crocker.com

10,352 active botnets (was Re: register.com down sev0?

[Valdis . Kletnieks]

On Thu, 26 Oct 2006 05:11:14 -, Fergie said:
> I don't want to detract from the heat of this discussion, as
> important as it is, but it (the discussion) illustrates a point
> that RIPE has recognized -- and is actively perusing -- yet, ISPs
> on this continent seem consistently to ignore: The consistent
> implementation of BCP 38.
>
> It is nothing less than irresponsible, IMO...
>
> Why _is_ that?

The same people I mentioned the other day as not having enough clue to
do DNS correctly don't have enough clue to do BCP38 correctly either.
As one person mentioned, if stuff still requires pioneer-level skillsets
to use, the pioneers have more work to do.  The problem is that the
following wave seems to be made up mostly of chimpanzees, and nobody's
figured out how to make routers and network services that can be run
by chimps...

Maybe the new slogan needs to be "Save the Internet! Train the chimps!"


pgpFsZMkxDfPo.pgp
Description: PGP signature

Re: 10,352 active botnets (was Re: register.com down sev0?)

[Simon Waters]

On Thursday 26 Oct 2006 13:45, you wrote:
> 
> Is there a similar statistic available for Mac OS X ?

Now now.

> > "Of the 4 million computers cleaned by the company's MSRT
> > (malicious software removal tool), about 50 percent (2 million)
> > contained at least one backdoor Trojan. While this is a high
> > percentage, Microsoft notes that this is a decrease from the
> > second half of 2005. During that period, the MSRT data showed
> > that 68 percent of machines cleaned by the tool contained a
> > backdoor Trojan."

A lot depends on the definition.

I've removed some malware trying to exploit an old Microsoft JRE bug. This 
stuff gets everywhere (well anywhere IE goes).

These get downloaded to some cached program folder for Java, and because the 
exploit hasn't worked for years, sit there till some antivirus software comes 
along and removes them, doing nowt but consuming disk space.

If you are the Microsoft malicious software removal tool marketing department, 
that is a trojan removed. To the average person on the street, it is another 
bit of meaningless fluff their PC will lose when they reinstall.

So yes, Microsoft is big enough to have bits who have a vested interest in 
making the other bits look bad (if only incidentally). Thus is the way of big 
companies.

Re: 10,352 active botnets (was Re: register.com down sev0?)

[Marshall Eubanks]

Dear Fergie;

Is there a similar statistic available for Mac OS X ?

Regards
Marshall

On Oct 26, 2006, at 5:43 AM, Fergie wrote:



Jose's numbers are conservative.

Given some mathematical acrobatics, I'd suggest examining some
of the (shocking) number sin Microsoft's Security Intelligence
Report (Google it) -- these are reflective:

"Of the 4 million computers cleaned by the company's MSRT
(malicious software removal tool), about 50 percent (2 million)
contained at least one backdoor Trojan. While this is a high
percentage, Microsoft notes that this is a decrease from the
second half of 2005. During that period, the MSRT data showed
that 68 percent of machines cleaned by the tool contained a
backdoor Trojan."

Ref: http://www.eweek.com/article2/0,1759,2036439,00.asp

If you're wondering why DDoS attacks are so effective, look
no further than your backyard.

- ferg


-- Sean Donelan <[EMAIL PROTECTED]> wrote:

On Thu, 26 Oct 2006, [EMAIL PROTECTED] wrote:
Well, let's talk about "worst-case ddos". Let's say, 50mpps (I  
have not
heard of ddos larger that that number). Let's say, you can sink/ 
filter
100kpps on each box (not unreasonable on higher-end box with nsd).  
That

means, you should be able to filter this attack with ~500 servers,
appropriately place. Say, because you don't know where the attack  
will
come in, you need 4 times more the estimated number of servers,  
that's
2000 servers. That's not entirely unreasonable number for a large  
enough

company.


Botnets were the topic at today's Info Security conference in New York
City.     Coincidences?  Or just
as random as your iPod shuffle?

Jose Nazario estimated that there were 10,352 botnets active on the
Internet earlier this year. You will probably always be outnumbered on
the public Internet.


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/

Re: 10,352 active botnets (was Re: register.com down sev0?)

[Gadi Evron]

On Thu, 26 Oct 2006, Fergie wrote:
> 
> Jose's numbers are conservative.
> 
> Given some mathematical acrobatics, I'd suggest examining some
> of the (shocking) number sin Microsoft's Security Intelligence
> Report (Google it) -- these are reflective: 
> 
> "Of the 4 million computers cleaned by the company's MSRT
> (malicious software removal tool), about 50 percent (2 million)
> contained at least one backdoor Trojan. While this is a high
> percentage, Microsoft notes that this is a decrease from the
> second half of 2005. During that period, the MSRT data showed
> that 68 percent of machines cleaned by the tool contained a
> backdoor Trojan."
> 
> Ref: http://www.eweek.com/article2/0,1759,2036439,00.asp
> 
> If you're wondering why DDoS attacks are so effective, look
> no further than your backyard.
> 
> - ferg

Jose may be a bit conservative with numbers, but he has good data and
shares it, which is more than I can say for some people.

Jose is definitely someone who knows what he is talking about when it
comes to botnets.

These numbers are not really relevant in my opinion, but they help get the
message across.

Gadi.

Re: 10,352 active botnets (was Re: register.com down sev0?)

[Fergie]

Jose's numbers are conservative.

Given some mathematical acrobatics, I'd suggest examining some
of the (shocking) number sin Microsoft's Security Intelligence
Report (Google it) -- these are reflective: 

"Of the 4 million computers cleaned by the company's MSRT
(malicious software removal tool), about 50 percent (2 million)
contained at least one backdoor Trojan. While this is a high
percentage, Microsoft notes that this is a decrease from the
second half of 2005. During that period, the MSRT data showed
that 68 percent of machines cleaned by the tool contained a
backdoor Trojan."

Ref: http://www.eweek.com/article2/0,1759,2036439,00.asp

If you're wondering why DDoS attacks are so effective, look
no further than your backyard.

- ferg


-- Sean Donelan <[EMAIL PROTECTED]> wrote:

On Thu, 26 Oct 2006, [EMAIL PROTECTED] wrote:
> Well, let's talk about "worst-case ddos". Let's say, 50mpps (I have not
> heard of ddos larger that that number). Let's say, you can sink/filter
> 100kpps on each box (not unreasonable on higher-end box with nsd). That
> means, you should be able to filter this attack with ~500 servers,
> appropriately place. Say, because you don't know where the attack will
> come in, you need 4 times more the estimated number of servers, that's
> 2000 servers. That's not entirely unreasonable number for a large enough
> company.

Botnets were the topic at today's Info Security conference in New York 
City.     Coincidences?  Or just 
as random as your iPod shuffle?

Jose Nazario estimated that there were 10,352 botnets active on the 
Internet earlier this year. You will probably always be outnumbered on
the public Internet.


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/

10,352 active botnets (was Re: register.com down sev0?)

[Sean Donelan]

On Thu, 26 Oct 2006, [EMAIL PROTECTED] wrote:

Well, let's talk about "worst-case ddos". Let's say, 50mpps (I have not
heard of ddos larger that that number). Let's say, you can sink/filter
100kpps on each box (not unreasonable on higher-end box with nsd). That
means, you should be able to filter this attack with ~500 servers,
appropriately place. Say, because you don't know where the attack will
come in, you need 4 times more the estimated number of servers, that's
2000 servers. That's not entirely unreasonable number for a large enough
company.


Botnets were the topic at today's Info Security conference in New York 
City.     Coincidences?  Or just 
as random as your iPod shuffle?


Jose Nazario estimated that there were 10,352 botnets active on the 
Internet earlier this year. You will probably always be outnumbered on

the public Internet.