Are botnets relevant to NANOG?

Sat May 27 02:06:55 UTC 2006

On Fri, 26 May 2006, Peter Dambier wrote:
> 
> Sean Donelan wrote:
> > On Fri, 26 May 2006, John Kristoff wrote:
> > 
> >>What I'd be curious to know in the numbers being thrown around if there
> >>has been any accounting of transient address usage.  Since I'm spending
> > 
> > 
> > I worked with Adlex to update their software to identify and track dynamic
> > addresses associated with subscriber RADIUS information.  At the time,
> > Adlex (now CompuWare) was the only off-the-shelf software that matched
> > unique subscriber RADIUS instead of just IP address. It is behavior based,
> > so not absolutely 100% accurate, but it is useful for long term trending
> > "bot-like" unique subscribers instead of dynamic IP addresses.  I presented
> > some public numbers at an NSP-SEC BOF.  There is a large difference
> > between the number of unique subscribers versus the number of dynamic IP
> > addresses detected by various public detectors.
> > 
> > http://www.compuware.com/products/vantage/4920_ENG_HTML.htm
> 
> Just an afterthought, traceroute and take the final router. I guess for
> aDSL home users you will find some 8 or 11 routers in germany. My final
> router never changes. Of course there can hide more than one bad guy
> behind that router.

Actually, some anti spam veterns keep lists of dynamic blocks as negative
scoring marks in their filters. I still believe that even ignoring those
the numbers are still too high.

I honestly want to know why a precise number matters? It will only be
higher than our facts based upon our different observation points.

	Gadi.

> 
> Kind regards
> Peter and Karin
> 
> -- 
> Peter and Karin Dambier
> Cesidian Root - Radice Cesidiana
> Graeffstrasse 14
> D-64646 Heppenheim
> +49(6252)671-788 (Telekom)
> +49(179)108-3978 (O2 Genion)
> +49(6252)750-308 (VoIP: sipgate.de)
> mail: peter at peter-dambier.de
> mail: peter at echnaton.serveftp.com
> http://iason.site.voila.fr/
> https://sourceforge.net/projects/iason/
> 