Are botnets relevant to NANOG?

Rick Wesson wessorh at
Fri May 26 18:50:21 UTC 2006


The short answer is no.

The longer answer is that we haven't found a reliable way to identify 
dynamic blocks. Should anyone point me to an authoritative source I'd be 
happy to do the analysis and provide some graphs on how dynamic 
addresses effect the numbers.

also note that we are using TCP fingerprinting in our spamtraps and 
expect to have some interesting results published in the august/sept 
time frame. We won't be able to say that a block is dynamic but we will 
be able to better understand if we talk to the same spammer from 
different ip addresses and how often those addresses change.

I believe that understanding our tcp fingerprinting of spam senders 
might be more interesting and relevant to NANOG than how dynamic address 
assignments discounts the numbers i posted earlier.


John Kristoff wrote:
> On Fri, 26 May 2006 10:21:10 -0700
> Rick Wesson <wessorh at> wrote:
>> lets see, should we be concerned? here are a few interesting tables,
>> the cnt column is new IP addresses we have seen in the last 5 days.
> Hi Rick,
> What I'd be curious to know in the numbers being thrown around if there
> has been any accounting of transient address usage.  Since I'm spending
> an awful lot of time with DNS these days, I'll actually provide a cite
> related to that (and not simply suggest you just quote me :-).  See
> sections 3.3.2 and 4.4 of the following:
>   Availability, Usage and Deployment Characteristics of the Domain Name
>   System, Internet Measurement Conference 2004, J. Pang, et. al
> At some point transient address pools are limited and presumably so
> are the possible numbers of new bots, particularly within netblocks.
> Is there any accounting for that?  Shouldn't there be?  What will the
> effect of doing that be on the numbers?
> John

More information about the NANOG mailing list