North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Are botnets relevant to NANOG?

  • From: Rick Wesson
  • Date: Fri May 26 14:50:58 2006


John,

The short answer is no.

The longer answer is that we haven't found a reliable way to identify dynamic blocks. Should anyone point me to an authoritative source I'd be happy to do the analysis and provide some graphs on how dynamic addresses effect the numbers.

also note that we are using TCP fingerprinting in our spamtraps and expect to have some interesting results published in the august/sept time frame. We won't be able to say that a block is dynamic but we will be able to better understand if we talk to the same spammer from different ip addresses and how often those addresses change.

I believe that understanding our tcp fingerprinting of spam senders might be more interesting and relevant to NANOG than how dynamic address assignments discounts the numbers i posted earlier.



-rick

John Kristoff wrote:
On Fri, 26 May 2006 10:21:10 -0700
Rick Wesson <wessorh@ar.com> wrote:

lets see, should we be concerned? here are a few interesting tables,
the cnt column is new IP addresses we have seen in the last 5 days.
Hi Rick,

What I'd be curious to know in the numbers being thrown around if there
has been any accounting of transient address usage.  Since I'm spending
an awful lot of time with DNS these days, I'll actually provide a cite
related to that (and not simply suggest you just quote me :-).  See
sections 3.3.2 and 4.4 of the following:

  Availability, Usage and Deployment Characteristics of the Domain Name
  System, Internet Measurement Conference 2004, J. Pang, et. al

At some point transient address pools are limited and presumably so
are the possible numbers of new bots, particularly within netblocks.
Is there any accounting for that?  Shouldn't there be?  What will the
effect of doing that be on the numbers?

John