Are botnets relevant to NANOG?

• Previous message (by thread): Are botnets relevant to NANOG?
• Next message (by thread): Are botnets relevant to NANOG?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

John Kristoff wrote:
> On Fri, 26 May 2006 11:50:21 -0700
> Rick Wesson <wessorh at ar.com> wrote:
> 
> 
>>The longer answer is that we haven't found a reliable way to identify 
>>dynamic blocks. Should anyone point me to an authoritative source I'd
>>be happy to do the analysis and provide some graphs on how dynamic 
>>addresses effect the numbers.
> 
> 
> I don't know how effective the dynamic lists maintained by some in
> the anti-spamming community is, you'd probably know better than I,
> but that is one way as decribed in the paper.  In the first section
> of the paper I cited they lists three methods they used to try to
> capture stable IP addresses.  Summarizing those:
> 
>   1. reverse map the IP address and analyze the hostname
>   2. do same for nearby addresses and analyze character difference ratio
>   3. compare active probes of suspect app with icmp echo response

Tool to help you.
Try natnum form the IASON tools.

  $ natnum echnaton.serveftp.com

host_look("84.167.246.104","echnaton.serveftp.com","1420293736").
host_name("84.167.246.104","p54A7F668.dip.t-dialin.net").

You can feed natnum a hostname or an ip-address or even a long integer.

If you want to dump an address range use name2pl.

  $ name2pl 84.167.246.100 8

host_name("84.167.246.100","p54A7F664.dip.t-dialin.net").
host_name("84.167.246.101","p54A7F665.dip.t-dialin.net").
...
host_name("84.167.246.106","p54A7F66A.dip.t-dialin.net").
host_name("84.167.246.107","p54A7F66B.dip.t-dialin.net").

Dumps you 8 ip-addresses starting from 84.167.246.100.
Without the 8 you will get 256

http://iason.site.voila.fr/
http://www.kokoom.com/

Sorry the sourceforge still gives me hickups :)
Sorry will compile and run on UNIX, BSD, Linux, MAC OS-X only.

> 
> None of these will be foolproof and the last one will probably only
> be good for cases where there is a service running where'd you'd
> rather there not be and you can test for it (e.g. open relays).
> 
> There was at least one additional reference to related work in that
> paper, which leads to more still, but I'll let those interested to
> do their own research on additional ideas for themselves.
> 
> 
>>also note that we are using TCP fingerprinting in our spamtraps and 
>>expect to have some interesting results published in the august/sept 
>>time frame. We won't be able to say that a block is dynamic but we
>>will be able to better understand if we talk to the same spammer from 
>>different ip addresses and how often those addresses change.
> 
> 
> Will look forward to seeing more.  Thanks,
> 
> John

Kind regards
Peter and Karin

-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/

• Previous message (by thread): Are botnets relevant to NANOG?
• Next message (by thread): Are botnets relevant to NANOG?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]