Re: Are botnets relevant to NANOG?
for this community would trend analysis with the best of who is getting better and the worst of who is getting worse and some baseline counts be enough for this group to understand if the problem is getting better. Your 5-day numbers were very reminiscent of the weekly CIDR report. I think that if you clean it up for weekly submission then that would be useful to some. For instance, you only published data for two categories of ASN. Where is the tier-1 data? And numbers should cover a 7-day period, not 5 days. In addition, for each category you should provide a fixed cutoff. The CIDR report shows the top 30 ASNs. I think that the ideal would be a table including ASN category as one column and showing the top 50 ASNs. In addition, you should attempt to separate the dynamic addresses by some means or other and either add that as a separate column or else do a separate table. Since this would be posted weekly over a long period of time, it is best to put some thought into how to structure it so it remains relevant. Also, provide a URL where researchers can download more complete datasets, not just top 50. I am suggesting that NANOG is an appropriate forum to publish general stats on who the problem is getting better/worse for and possibly why things got better/worse. I think few people will complain about a weekly posting of this nature. --Michael Dillon
Re: Are botnets relevant to NANOG?
The motive is unclear because attacking, for example, root servers, is an effort without some obvious economic incentive Since when is advertising NOT a sign of an obvious economic incentive? The DA report went through a large thread(s) to post statistics here and I'm not sure why yours will be any better, or, just another set of statistics which further de-sensitizes everyone to the problem. Stats by themselves can be boring. But making data available regularly and publicly will inevitably lead to some people doing analyses of this data and presenting those analyses to NANOG meetings. This will lead to wider understanding of what is going on and will provide raw material for getting management support for actions to solve the problem. --Michael Dillon
Re: Are botnets relevant to NANOG?
On Tue, 30 May 2006 10:02:37 BST, [EMAIL PROTECTED] said: For instance, you only published data for two categories of ASN. Where is the tier-1 data? I suspect that tier-1 botnet data isn't at all interesting, because in general, tier-1 providers have almost no address space containing the sort of machines that end up in botnets. For instance, look at AS701 http://www.cidr-report.org/cgi-bin/as-report?as=AS701view=4637 Lots of /24's, but even if you add it all up, barely a single /9 if that much *total*. And I bet most of those /24's just have a handful of routers on them. And numbers should cover a 7-day period, not 5 days. In addition, for each category you should provide a fixed cutoff. The CIDR report shows the top 30 ASNs. If we're playing the shame game the way the CIDR report is, an interesting metric might be bots divided by announced address space (so for instance AS1312 would have it 6 or 10 bots(*) divided by its 2 /16s). I wonder if the numbers for consumer broadband versus universities will look significantly different when done that way. (*) Yes, our AS isn't perfectly clean. We've got a resnet in our address space, where the best we can do is provide user education and play whack-a-mole as we find them pgpC6giRPe9N7.pgp Description: PGP signature
Re: Are botnets relevant to NANOG?
On Fri, 26 May 2006, Gadi Evron wrote: I honestly want to know why a precise number matters? It will only be higher than our facts based upon our different observation points. http://www.nytimes.com/2006/05/30/us/30identity.html Credit card companies point to new monitoring systems that have reduced loss from fraud as a percentage of overall transaction volume. At Visa, fraud accounted for 7 cents per $100 in transactions, down from 18 cents per $100 in 1990. We could have a system reducing fraud to zero basis points, but it wouldn't meet what consumers are demanding, said Rosetta Jones, a Visa spokeswoman. We need to deliver what consumers want in a way that is secure. Zero is probably a bit too optimistic, but the idea is the same.
Re: Are botnets relevant to NANOG?
[EMAIL PROTECTED] wrote: In recent discussions about botnets, some people maintained that botnets (and viruses and worms) are really not a relevant topic for NANOG discussion and are not something that we should be worried about. I think that the CSI and FBI would disagree with that. Some people need whatever bandwidth they can get for ranting. Of course routing reports, virus reports and botnet bgp statistics take away a lot of valuable bandwidth that could otherwise be used for nagging. On the other hand without Gadi's howling for the wolves those wolves might be lost species and without the wolves all the nagging and ranting would make less fun. Now NANOG members cannot change OS security, they can't change corporate security practices, but they can have an impact on botnets because this is where the nefarious activity meets the network. They can. All you have to do is look for free software and join the devellopers or the testers or report whatever you have found out. When working for Exodus and GLC I have seen I could change security practices. I was working in London, Munich and Frankfurt NOCs. Sorry I did not know about NANOG that time. It would have made my live a lot more interesting. Therefore, I conclude that discussions of botnets do belong on the NANOG list as long as the NANOG list is not used as a primary venue for discussing them. Botnets are networks. We should have the network operators on the NANOG list. (I am afraid we do already have them :) One thing that surveys, such as the CSI/FBI Security Survey, cannot do well is to measure the impact of botnet researchers and the people who attempt to shut down botnets. It's similar to the fight against terrorism. I know that there have been 2 terrorist attacks on London since 9/11 but I don't know HOW MANY ATTACKS HAVE BEEN THWARTED. At least two have been publicised but there could be dozens more. Cleaning up botnets is rather like fighting terrorism. At the end, you have nothing to show for it. No news coverage, no big heaps of praise. Most people aren't sure there was ever a problem to begin with. That doesn't mean that the work should stop or that network providers should withold their support for cleaning up the botnet problem. Maybe it is high time for a transparent frog. Invisible for secure systems but as soon as one of the bots tries to infect it, it will ... In case you are not Gadi or working for Gadi, feel free to ignore the tranparent frog. I have never met one :) Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Are botnets relevant to NANOG?
Some people need whatever bandwidth they can get for ranting. Of course routing reports, virus reports and botnet bgp statistics take away a lot of valuable bandwidth that could otherwise be used for nagging. On the other hand without Gadi's howling for the wolves those wolves might be lost species and without the wolves all the nagging and ranting would make less fun. lets see, should we be concerned? here are a few interesting tables, the cnt column is new IP addresses we have seen in the last 5 days. The first table is Tier-2 ASNs as classified by Fontas's ASN Taxonomy paper [1] The second table is Universities. The ASN concerned are just in the announced by orgs in USA as to imply that they should be on NANOG. Let me say it again the counts are NEW observations in the last 5 days. also note I'm not Gati, and I've got much more data on everyones networks. -rick New compromised unique IP addresses (last 5 days) Tier-2 ASN +---++---+ | asnum | asname | cnt | +---++---+ | 19262 | Verizon Internet Services | 35790 | | 20115 | Charter Communications | 4453 | | 8584 | Barak AS | 3930 | | 5668 | CenturyTel Internet Holdings, Inc. | 2633 | | 12271 | Road Runner| 2485 | | 22291 | Charter Communications | 2039 | | 8113 | VRIS Verizon Internet Services | 1664 | | 6197 | BellSouth Network Solutions, Inc | 1634 | | 6198 | BellSouth Network Solutions, Inc | 1531 | | 9325 | XTRA-AS Telecom XTRA, Auckland | 1415 | | 11351 | Road Runner| 1415 | | 6140 | ImpSat | 1051 | | 7021 | Verizon Internet Services | 961 | | 6350 | Verizon Internet Services | 945 | | 19444 | CHARTER COMMUNICATIONS | 845 | +---++---+ Universities, new unique ip last 5 days +---++-+ | asnum | left(asname,30)| cnt | +---++-+ |14 | Columbia University| 93 | | 3 | MIT-2 Massachusetts Institute | 45 | |73 | University of Washington | 25 | | 7925 | West Virginia Network for Educ | 24 | | 4385 | RIT-3 Rochester Institute of T | 20 | | 23369 | SCOE-5 Sonoma County Office of | 19 | | 5078 | Oklahoma Network for Education | 18 | | 3388 | UNM University of New Mexico | 18 | |55 | University of Pennsylvania | 13 | | 159 | The Ohio State University | 12 | | 104 | University of Colorado at Boul | 12 | | 4265 | CERFN California Education and | 11 | | 693 | University of Notre Dame | 10 | | 2900 | Arizona Tri University Network | 9 | | 2637 | Georgia Institute of Technolog | 9 | +---++-+ [1] http://www.ece.gatech.edu/research/labs/MANIACS/as_taxonomy/
Re: Are botnets relevant to NANOG?
I think the numbers speak for themselves. - ferg -- Rick Wesson [EMAIL PROTECTED] wrote: Some people need whatever bandwidth they can get for ranting. Of course routing reports, virus reports and botnet bgp statistics take away a lot of valuable bandwidth that could otherwise be used for nagging. On the other hand without Gadi's howling for the wolves those wolves might be lost species and without the wolves all the nagging and ranting would make less fun. lets see, should we be concerned? here are a few interesting tables, the cnt column is new IP addresses we have seen in the last 5 days. The first table is Tier-2 ASNs as classified by Fontas's ASN Taxonomy paper [1] The second table is Universities. The ASN concerned are just in the announced by orgs in USA as to imply that they should be on NANOG. Let me say it again the counts are NEW observations in the last 5 days. also note I'm not Gati, and I've got much more data on everyones networks. -rick New compromised unique IP addresses (last 5 days) Tier-2 ASN +---++---+ | asnum | asname | cnt | +---++---+ | 19262 | Verizon Internet Services | 35790 | | 20115 | Charter Communications | 4453 | | 8584 | Barak AS | 3930 | | 5668 | CenturyTel Internet Holdings, Inc. | 2633 | | 12271 | Road Runner| 2485 | | 22291 | Charter Communications | 2039 | | 8113 | VRIS Verizon Internet Services | 1664 | | 6197 | BellSouth Network Solutions, Inc | 1634 | | 6198 | BellSouth Network Solutions, Inc | 1531 | | 9325 | XTRA-AS Telecom XTRA, Auckland | 1415 | | 11351 | Road Runner| 1415 | | 6140 | ImpSat | 1051 | | 7021 | Verizon Internet Services | 961 | | 6350 | Verizon Internet Services | 945 | | 19444 | CHARTER COMMUNICATIONS | 845 | +---++---+ Universities, new unique ip last 5 days +---++-+ | asnum | left(asname,30)| cnt | +---++-+ |14 | Columbia University| 93 | | 3 | MIT-2 Massachusetts Institute | 45 | |73 | University of Washington | 25 | | 7925 | West Virginia Network for Educ | 24 | | 4385 | RIT-3 Rochester Institute of T | 20 | | 23369 | SCOE-5 Sonoma County Office of | 19 | | 5078 | Oklahoma Network for Education | 18 | | 3388 | UNM University of New Mexico | 18 | |55 | University of Pennsylvania | 13 | | 159 | The Ohio State University | 12 | | 104 | University of Colorado at Boul | 12 | | 4265 | CERFN California Education and | 11 | | 693 | University of Notre Dame | 10 | | 2900 | Arizona Tri University Network | 9 | | 2637 | Georgia Institute of Technolog | 9 | +---++-+ [1] http://www.ece.gatech.edu/research/labs/MANIACS/as_taxonomy/ -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Are botnets relevant to NANOG?
On Fri, 26 May 2006 10:21:10 -0700 Rick Wesson [EMAIL PROTECTED] wrote: lets see, should we be concerned? here are a few interesting tables, the cnt column is new IP addresses we have seen in the last 5 days. Hi Rick, What I'd be curious to know in the numbers being thrown around if there has been any accounting of transient address usage. Since I'm spending an awful lot of time with DNS these days, I'll actually provide a cite related to that (and not simply suggest you just quote me :-). See sections 3.3.2 and 4.4 of the following: Availability, Usage and Deployment Characteristics of the Domain Name System, Internet Measurement Conference 2004, J. Pang, et. al At some point transient address pools are limited and presumably so are the possible numbers of new bots, particularly within netblocks. Is there any accounting for that? Shouldn't there be? What will the effect of doing that be on the numbers? John
Re: Are botnets relevant to NANOG?
John, The short answer is no. The longer answer is that we haven't found a reliable way to identify dynamic blocks. Should anyone point me to an authoritative source I'd be happy to do the analysis and provide some graphs on how dynamic addresses effect the numbers. also note that we are using TCP fingerprinting in our spamtraps and expect to have some interesting results published in the august/sept time frame. We won't be able to say that a block is dynamic but we will be able to better understand if we talk to the same spammer from different ip addresses and how often those addresses change. I believe that understanding our tcp fingerprinting of spam senders might be more interesting and relevant to NANOG than how dynamic address assignments discounts the numbers i posted earlier. -rick John Kristoff wrote: On Fri, 26 May 2006 10:21:10 -0700 Rick Wesson [EMAIL PROTECTED] wrote: lets see, should we be concerned? here are a few interesting tables, the cnt column is new IP addresses we have seen in the last 5 days. Hi Rick, What I'd be curious to know in the numbers being thrown around if there has been any accounting of transient address usage. Since I'm spending an awful lot of time with DNS these days, I'll actually provide a cite related to that (and not simply suggest you just quote me :-). See sections 3.3.2 and 4.4 of the following: Availability, Usage and Deployment Characteristics of the Domain Name System, Internet Measurement Conference 2004, J. Pang, et. al At some point transient address pools are limited and presumably so are the possible numbers of new bots, particularly within netblocks. Is there any accounting for that? Shouldn't there be? What will the effect of doing that be on the numbers? John
Re: Are botnets relevant to NANOG?
On Fri, 26 May 2006 11:50:21 -0700 Rick Wesson [EMAIL PROTECTED] wrote: The longer answer is that we haven't found a reliable way to identify dynamic blocks. Should anyone point me to an authoritative source I'd be happy to do the analysis and provide some graphs on how dynamic addresses effect the numbers. I don't know how effective the dynamic lists maintained by some in the anti-spamming community is, you'd probably know better than I, but that is one way as decribed in the paper. In the first section of the paper I cited they lists three methods they used to try to capture stable IP addresses. Summarizing those: 1. reverse map the IP address and analyze the hostname 2. do same for nearby addresses and analyze character difference ratio 3. compare active probes of suspect app with icmp echo response None of these will be foolproof and the last one will probably only be good for cases where there is a service running where'd you'd rather there not be and you can test for it (e.g. open relays). There was at least one additional reference to related work in that paper, which leads to more still, but I'll let those interested to do their own research on additional ideas for themselves. also note that we are using TCP fingerprinting in our spamtraps and expect to have some interesting results published in the august/sept time frame. We won't be able to say that a block is dynamic but we will be able to better understand if we talk to the same spammer from different ip addresses and how often those addresses change. Will look forward to seeing more. Thanks, John
Re: Are botnets relevant to NANOG?
John Kristoff wrote: On Fri, 26 May 2006 11:50:21 -0700 Rick Wesson [EMAIL PROTECTED] wrote: The longer answer is that we haven't found a reliable way to identify dynamic blocks. Should anyone point me to an authoritative source I'd be happy to do the analysis and provide some graphs on how dynamic addresses effect the numbers. I don't know how effective the dynamic lists maintained by some in the anti-spamming community is, you'd probably know better than I, but that is one way as decribed in the paper. In the first section of the paper I cited they lists three methods they used to try to capture stable IP addresses. Summarizing those: 1. reverse map the IP address and analyze the hostname 2. do same for nearby addresses and analyze character difference ratio 3. compare active probes of suspect app with icmp echo response Tool to help you. Try natnum form the IASON tools. $ natnum echnaton.serveftp.com host_look(84.167.246.104,echnaton.serveftp.com,1420293736). host_name(84.167.246.104,p54A7F668.dip.t-dialin.net). You can feed natnum a hostname or an ip-address or even a long integer. If you want to dump an address range use name2pl. $ name2pl 84.167.246.100 8 host_name(84.167.246.100,p54A7F664.dip.t-dialin.net). host_name(84.167.246.101,p54A7F665.dip.t-dialin.net). ... host_name(84.167.246.106,p54A7F66A.dip.t-dialin.net). host_name(84.167.246.107,p54A7F66B.dip.t-dialin.net). Dumps you 8 ip-addresses starting from 84.167.246.100. Without the 8 you will get 256 http://iason.site.voila.fr/ http://www.kokoom.com/ Sorry the sourceforge still gives me hickups :) Sorry will compile and run on UNIX, BSD, Linux, MAC OS-X only. None of these will be foolproof and the last one will probably only be good for cases where there is a service running where'd you'd rather there not be and you can test for it (e.g. open relays). There was at least one additional reference to related work in that paper, which leads to more still, but I'll let those interested to do their own research on additional ideas for themselves. also note that we are using TCP fingerprinting in our spamtraps and expect to have some interesting results published in the august/sept time frame. We won't be able to say that a block is dynamic but we will be able to better understand if we talk to the same spammer from different ip addresses and how often those addresses change. Will look forward to seeing more. Thanks, John Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Are botnets relevant to NANOG?
On Fri, 26 May 2006, John Kristoff wrote: What I'd be curious to know in the numbers being thrown around if there has been any accounting of transient address usage. Since I'm spending I worked with Adlex to update their software to identify and track dynamic addresses associated with subscriber RADIUS information. At the time, Adlex (now CompuWare) was the only off-the-shelf software that matched unique subscriber RADIUS instead of just IP address. It is behavior based, so not absolutely 100% accurate, but it is useful for long term trending bot-like unique subscribers instead of dynamic IP addresses. I presented some public numbers at an NSP-SEC BOF. There is a large difference between the number of unique subscribers versus the number of dynamic IP addresses detected by various public detectors. http://www.compuware.com/products/vantage/4920_ENG_HTML.htm
Re: Are botnets relevant to NANOG?
Sean Donelan wrote: On Fri, 26 May 2006, John Kristoff wrote: What I'd be curious to know in the numbers being thrown around if there has been any accounting of transient address usage. Since I'm spending I worked with Adlex to update their software to identify and track dynamic addresses associated with subscriber RADIUS information. At the time, Adlex (now CompuWare) was the only off-the-shelf software that matched unique subscriber RADIUS instead of just IP address. It is behavior based, so not absolutely 100% accurate, but it is useful for long term trending bot-like unique subscribers instead of dynamic IP addresses. I presented some public numbers at an NSP-SEC BOF. There is a large difference between the number of unique subscribers versus the number of dynamic IP addresses detected by various public detectors. http://www.compuware.com/products/vantage/4920_ENG_HTML.htm Just an afterthought, traceroute and take the final router. I guess for aDSL home users you will find some 8 or 11 routers in germany. My final router never changes. Of course there can hide more than one bad guy behind that router. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Are botnets relevant to NANOG?
Not effective against botnets. Think of it this way, thousands of compromised hosts (zombies), distributed to the four corners of the Internet, hundreds (if not thousands) of AS's -- all recieving their instructions via IRC from a CC server somewhere, that probably also may change due to dynamic DNS, or pump-and-dump domain registrations, or any other various ways to continually move the CC. Simply going after (what may _seem_to_be_) the last-hop router is like swinging a stick after a piñata that you can't actually reach when you are blind-folded. :-) - ferg -- Peter Dambier [EMAIL PROTECTED] wrote: Just an afterthought, traceroute and take the final router. I guess for aDSL home users you will find some 8 or 11 routers in germany. My final router never changes. Of course there can hide more than one bad guy behind that router. [snip] -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Are botnets relevant to NANOG?
for this community would trend analysis with the best of who is getting better and the worst of who is getting worse and some baseline counts be enough for this group to understand if the problem is getting better. I am suggesting that NANOG is an appropriate forum to publish general stats on who the problem is getting better/worse for and possibly why things got better/worse. I'd like to see a general head nod that there is a problem and develop some stats so we can understand if it is getting better or worse. -rick Fergie wrote: Not effective against botnets. Think of it this way, thousands of compromised hosts (zombies), distributed to the four corners of the Internet, hundreds (if not thousands) of AS's -- all recieving their instructions via IRC from a CC server somewhere, that probably also may change due to dynamic DNS, or pump-and-dump domain registrations, or any other various ways to continually move the CC. Simply going after (what may _seem_to_be_) the last-hop router is like swinging a stick after a piñata that you can't actually reach when you are blind-folded. :-) - ferg -- Peter Dambier [EMAIL PROTECTED] wrote: Just an afterthought, traceroute and take the final router. I guess for aDSL home users you will find some 8 or 11 routers in germany. My final router never changes. Of course there can hide more than one bad guy behind that router. [snip] -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Are botnets relevant to NANOG?
At 07:09 PM 5/26/2006, Rick Wesson wrote: for this community would trend analysis with the best of who is getting better and the worst of who is getting worse and some baseline counts be enough for this group to understand if the problem is getting better. I am suggesting that NANOG is an appropriate forum to publish general stats on who the problem is getting better/worse for and possibly why things got better/worse. I'd like to see a general head nod that there is a problem and develop some stats so we can understand if it is getting better or worse. We all know there is a problem. Botnets/zombies/et. al. are the number one threat to the infrastructure and the attacks may be deliberate or they may be a distraction. The motive is unclear because attacking, for example, root servers, is an effort without some obvious economic incentive, at least that I can see. It doesn't make a lot of sense because the conventional wisdom before they open recursive attacks was that it was in the miscreants best interest to not attack infrastructure so that it could facilitate their reachable goals. The DA report went through a large thread(s) to post statistics here and I'm not sure why yours will be any better, or, just another set of statistics which further de-sensitizes everyone to the problem. I mean, it looks like, all of a sudden, the DNS community has a big problem with these open recursive attacks, ran off privately, and have now determined that it's a feature, not a bug, and well, heck, operators are now responsible. I am not saying that is the answer, but I am saying I am reading the OARC comments and this is sort of what it fees like. As much as Gadi seems to appropriate others credit, Randy Vaugh and him have been doing this work for some time and deserves some credit so I'd say have you spoken to them about how to make their report better yet instead of create more. -M -- Martin Hannigan(c) 617-388-2663 Renesys Corporation(w) 617-395-8574 Member of Technical Staff Network Operations [EMAIL PROTECTED]
Re: Are botnets relevant to NANOG?
I am saying I am reading the OARC comments and this is sort of what it fees like. As much as Gadi seems to appropriate others credit, Randy Vaugh and him have been doing this work for some time and deserves some credit so I'd say have you spoken to them about how to make their report better yet instead of create more. Yes, we have worked with Gati and Randy Vaugh; infact randy helped me out today; thanks randy! There is a difference in how Randy/Gati collect data and how we collect data. The stuff we publish are from numerous dns based realtime blacklists and spam traps we run. Other folks black-hole botnets and capture data. We both come up with a dataset that overlaps but we don't yet know by how much. So our data is another view using a different methodology and isn't supposed to be better but confirming of where the problem is and estimates of its magnitude. -rick
Re: Are botnets relevant to NANOG?
[top-posting] Time differentials, time-limiting, proxies and NATs, dynamic addresses, different malware, different OS, etc. are all things taken into acount. At some point you just need to have a best guess.. When the situation was by far less horrible, the numbers still didn't matter. Wasn't it your countrymen who said why should you need to be able to destroy the world a thousand times over when once is more than enough? I think 3 times for redundancy sounds like fun. The numbers are for years now not relevant. I often count active groups, active attacks per time-frame, money made/lost and number of user ID's compromised / sites targetted. Gadi. On Fri, 26 May 2006, John Kristoff wrote: On Fri, 26 May 2006 11:50:21 -0700 Rick Wesson [EMAIL PROTECTED] wrote: The longer answer is that we haven't found a reliable way to identify dynamic blocks. Should anyone point me to an authoritative source I'd be happy to do the analysis and provide some graphs on how dynamic addresses effect the numbers. I don't know how effective the dynamic lists maintained by some in the anti-spamming community is, you'd probably know better than I, but that is one way as decribed in the paper. In the first section of the paper I cited they lists three methods they used to try to capture stable IP addresses. Summarizing those: 1. reverse map the IP address and analyze the hostname 2. do same for nearby addresses and analyze character difference ratio 3. compare active probes of suspect app with icmp echo response None of these will be foolproof and the last one will probably only be good for cases where there is a service running where'd you'd rather there not be and you can test for it (e.g. open relays). There was at least one additional reference to related work in that paper, which leads to more still, but I'll let those interested to do their own research on additional ideas for themselves. also note that we are using TCP fingerprinting in our spamtraps and expect to have some interesting results published in the august/sept time frame. We won't be able to say that a block is dynamic but we will be able to better understand if we talk to the same spammer from different ip addresses and how often those addresses change. Will look forward to seeing more. Thanks, John
Re: Are botnets relevant to NANOG?
On Fri, 26 May 2006, Peter Dambier wrote: Sean Donelan wrote: On Fri, 26 May 2006, John Kristoff wrote: What I'd be curious to know in the numbers being thrown around if there has been any accounting of transient address usage. Since I'm spending I worked with Adlex to update their software to identify and track dynamic addresses associated with subscriber RADIUS information. At the time, Adlex (now CompuWare) was the only off-the-shelf software that matched unique subscriber RADIUS instead of just IP address. It is behavior based, so not absolutely 100% accurate, but it is useful for long term trending bot-like unique subscribers instead of dynamic IP addresses. I presented some public numbers at an NSP-SEC BOF. There is a large difference between the number of unique subscribers versus the number of dynamic IP addresses detected by various public detectors. http://www.compuware.com/products/vantage/4920_ENG_HTML.htm Just an afterthought, traceroute and take the final router. I guess for aDSL home users you will find some 8 or 11 routers in germany. My final router never changes. Of course there can hide more than one bad guy behind that router. Actually, some anti spam veterns keep lists of dynamic blocks as negative scoring marks in their filters. I still believe that even ignoring those the numbers are still too high. I honestly want to know why a precise number matters? It will only be higher than our facts based upon our different observation points. Gadi. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Are botnets relevant to NANOG?
On Fri, 26 May 2006, Rick Wesson wrote: I am saying I am reading the OARC comments and this is sort of what it fees like. As much as Gadi seems to appropriate others credit, Randy Vaugh and him have been doing this work for some time and deserves some credit so I'd say have you spoken to them about how to make their report better yet instead of create more. Yes, we have worked with Gati and Randy Vaugh; infact randy helped me out today; thanks randy! There is a difference in how Randy/Gati collect data and how we collect data. The stuff we publish are from numerous dns based realtime blacklists and spam traps we run. Other folks black-hole botnets and capture data. We both come up with a dataset that overlaps but we don't yet know by how much. So our data is another view using a different methodology and isn't supposed to be better but confirming of where the problem is and estimates of its magnitude. The more we know, the better. I believe the time for action has come and gone, but I was not born a pessimist. :) If the first step is to de-classify what's public so that people are aware of what's going on, I say bring it on. Great work, Rick. Beer is on me this defcon. Gadi. -rick
