Are botnets relevant to NANOG?
wessorh at ar.com
Fri May 26 18:50:21 UTC 2006
The short answer is no.
The longer answer is that we haven't found a reliable way to identify
dynamic blocks. Should anyone point me to an authoritative source I'd be
happy to do the analysis and provide some graphs on how dynamic
addresses effect the numbers.
also note that we are using TCP fingerprinting in our spamtraps and
expect to have some interesting results published in the august/sept
time frame. We won't be able to say that a block is dynamic but we will
be able to better understand if we talk to the same spammer from
different ip addresses and how often those addresses change.
I believe that understanding our tcp fingerprinting of spam senders
might be more interesting and relevant to NANOG than how dynamic address
assignments discounts the numbers i posted earlier.
John Kristoff wrote:
> On Fri, 26 May 2006 10:21:10 -0700
> Rick Wesson <wessorh at ar.com> wrote:
>> lets see, should we be concerned? here are a few interesting tables,
>> the cnt column is new IP addresses we have seen in the last 5 days.
> Hi Rick,
> What I'd be curious to know in the numbers being thrown around if there
> has been any accounting of transient address usage. Since I'm spending
> an awful lot of time with DNS these days, I'll actually provide a cite
> related to that (and not simply suggest you just quote me :-). See
> sections 3.3.2 and 4.4 of the following:
> Availability, Usage and Deployment Characteristics of the Domain Name
> System, Internet Measurement Conference 2004, J. Pang, et. al
> At some point transient address pools are limited and presumably so
> are the possible numbers of new bots, particularly within netblocks.
> Is there any accounting for that? Shouldn't there be? What will the
> effect of doing that be on the numbers?
More information about the NANOG