Are botnets relevant to NANOG?

Michael.Dillon at Michael.Dillon at
Fri May 26 13:25:41 UTC 2006

In recent discussions about botnets, some people maintained
that botnets (and viruses and worms) are really not a relevant
topic for NANOG discussion and are not something that we
should be worried about. I think that the CSI and FBI would 
disagree with that.

In a press release announcing the last CSI/FBI survey
the following statement appears:

Highlights of the 2005 Computer Crime and Security Survey include:

  - The total dollar amount of financial losses resulting from 
    security breaches is decreasing, with an average loss of 
    $204,000 per respondent-down 61 percent from last year's 
    average loss of $526,000. 
  - Virus attacks continue as the source of the greatest 
    financial losses, accounting for 32 percent of the 
    overall losses reported. 
  - Unauthorized access showed a dramatic increase and 
    replaced denial of service as the second most significant 
    contributor to computer crime losses, accounting for 
    24 percent of overall reported losses, and showing 
    a significant increase in average dollar loss. 

So where do botnets come in? First of all, botnets are
used to distribute viruses, the largest source of 
financial losses. Second, botnets are built on what
the CSI calls "unauthorised access", the second largest
source of loss. And denial of service, which used to 
be the 2nd largest, is also something that botnets do.

Now NANOG members cannot change OS security, they can't
change corporate security practices, but they can have 
an impact on botnets because this is where the nefarious
activity meets the network.

Therefore, I conclude that discussions of botnets do 
belong on the NANOG list as long as the NANOG list is
not used as a primary venue for discussing them.

One thing that surveys, such as the CSI/FBI Security
Survey, cannot do well is to measure the impact of 
botnet researchers and the people who attempt to shut
down botnets. It's similar to the fight against terrorism.
I know that there have been 2 terrorist attacks on
London since 9/11 but I don't know HOW MANY ATTACKS
HAVE BEEN THWARTED. At least two have been publicised 
but there could be dozens more.

Cleaning up botnets is rather like fighting terrorism.
At the end, you have nothing to show for it. No news
coverage, no big heaps of praise. Most people aren't
sure there was ever a problem to begin with. That doesn't
mean that the work should stop or that network providers
should withold their support for cleaning up the
botnet problem.

Michael Dillon
Capacity Management, 66 Prescot St., London, E1 8HG, UK
Mobile: +44 7900 823 672    Internet: michael.dillon at
Phone: +44 20 7650 9493    Fax: +44 20 7650 9030
One Community   One Connection   One Focus

More information about the NANOG mailing list