Are botnets relevant to NANOG?
peter at peter-dambier.de
Fri May 26 20:09:48 UTC 2006
John Kristoff wrote:
> On Fri, 26 May 2006 11:50:21 -0700
> Rick Wesson <wessorh at ar.com> wrote:
>>The longer answer is that we haven't found a reliable way to identify
>>dynamic blocks. Should anyone point me to an authoritative source I'd
>>be happy to do the analysis and provide some graphs on how dynamic
>>addresses effect the numbers.
> I don't know how effective the dynamic lists maintained by some in
> the anti-spamming community is, you'd probably know better than I,
> but that is one way as decribed in the paper. In the first section
> of the paper I cited they lists three methods they used to try to
> capture stable IP addresses. Summarizing those:
> 1. reverse map the IP address and analyze the hostname
> 2. do same for nearby addresses and analyze character difference ratio
> 3. compare active probes of suspect app with icmp echo response
Tool to help you.
Try natnum form the IASON tools.
$ natnum echnaton.serveftp.com
You can feed natnum a hostname or an ip-address or even a long integer.
If you want to dump an address range use name2pl.
$ name2pl 18.104.22.168 8
Dumps you 8 ip-addresses starting from 22.214.171.124.
Without the 8 you will get 256
Sorry the sourceforge still gives me hickups :)
Sorry will compile and run on UNIX, BSD, Linux, MAC OS-X only.
> None of these will be foolproof and the last one will probably only
> be good for cases where there is a service running where'd you'd
> rather there not be and you can test for it (e.g. open relays).
> There was at least one additional reference to related work in that
> paper, which leads to more still, but I'll let those interested to
> do their own research on additional ideas for themselves.
>>also note that we are using TCP fingerprinting in our spamtraps and
>>expect to have some interesting results published in the august/sept
>>time frame. We won't be able to say that a block is dynamic but we
>>will be able to better understand if we talk to the same spammer from
>>different ip addresses and how often those addresses change.
> Will look forward to seeing more. Thanks,
Peter and Karin
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
More information about the NANOG