Botnet List Discussed on NANOG

Peter Dambier peter at peter-dambier.de
Mon May 29 06:25:54 UTC 2006 

Sat Mandri wrote:
>  
> 
> Hi Rick & Peter
> 
>  
> 
> We at Telecom NZ/Xtra are quite keen to learn from you guys how the 
> following Statistical Data on “Botnet” was gathered and what’s the 
> initiative driving it.
> 
>  
> 
> We look forward to hearing from you guys on this matter.
> 
>  
> 
> Kind Regards
> 
> Sat Mandri


Hi Sat,

I built IASON to check and protect computer centres against
attackers. The first thing IASON did was analyzing logs on
routers, switches and everything.

Next step might be tuning firewalls and switches, if need
be, isolating devices from the net.

http://iason.site.voila.fr/
http://www.kokoom.com/iason/

I still have a little trouble with

https://sourceforge.net/projects/iason/


Taking parts of IASON you can adapt it to count anything,
like:

Whenever a firewall, an xinetd or or somebody else, sees activity
on a port that is known to be notorious for a bot then count and
remember that ip-address. That is a crude one but it gives you an
overview.

With tools like IASON, you could analyze your findings for
repeating patterns. Now you can identify the bots even after
they change ip-addresses.

Why did I build IASON in the first place?

Working for companies like GLC, Global Center and Exodus I got
tired of watching people in the NOC doing the same thing again
and again for hours. Their expertise was not knowledge but
pure typing speed.

IASON can type much faster and he even has time to read the
logs. With the core of IASON programmed in prolog it might
even get a clue :)

Cheers
Peter and Karin


> 
>  
> 
> ---------- Forwarded message ----------
> 
> Date: Fri, 26 May 2006 10:21:10 -0700
> 
> From: Rick Wesson <wessorh at ar.com>
> 
> To: peter at peter-dambier.de
> 
> Cc: nanog at merit.edu
> 
> Subject: Re: Are botnets relevant to NANOG?
> 
>  
> 
>  
> 
>  
> 
>>  Some people need whatever bandwidth they can get for ranting.
> 
>>  Of course routing reports, virus reports and botnet bgp statistics
> 
>>  take away a lot of valuable bandwidth that could otherwise be used
> 
>>  for nagging. On the other hand without Gadi's howling for the
> 
>>  wolves those wolves might be lost species and without the wolves
> 
>>  all the nagging and ranting would make less fun.
> 
>  
> 
> lets see, should we be concerned? here are a few interesting tables, the
> 
> cnt column is new IP addresses we have seen in the last 5 days. The
> 
> first table is Tier-2 ASNs as classified by Fontas's ASN Taxonomy paper
> 
> [1] The second table is Universities. The ASN concerned are just in the
> 
> announced by orgs in USA as to imply that they should be on NANOG.
> 
>  
> 
> Let me say it again the counts are NEW observations in the last 5 days.
> 
> also note I'm not Gati, and I've got much more data on everyones networks.
> 
>  
> 
> -rick
> 
>  
> 
>  
> 
> New compromised unique IP addresses (last 5 days) Tier-2 ASN
> 
> +-------+------------------------------------+-------+
> 
> | asnum | asname                             | cnt   |
> 
> +-------+------------------------------------+-------+
> 
> | 19262 | Verizon Internet Services          | 35790 |
> 
> | 20115 | Charter Communications             |  4453 |
> 
> |  8584 | Barak AS                           |  3930 |
> 
> |  5668 | CenturyTel Internet Holdings, Inc. |  2633 |
> 
> | 12271 | Road Runner                        |  2485 |
> 
> | 22291 | Charter Communications             |  2039 |
> 
> |  8113 | VRIS Verizon Internet Services     |  1664 |
> 
> |  6197 | BellSouth Network Solutions, Inc   |  1634 |
> 
> |  6198 | BellSouth Network Solutions, Inc   |  1531 |
> 
> |  *9325 | XTRA-AS Telecom XTRA, Auckland     |  1415* |
> 
> | 11351 | Road Runner                        |  1415 |
> 
> |  6140 | ImpSat                             |  1051 |
> 
> |  7021 | Verizon Internet Services          |   961 |
> 
> |  6350 | Verizon Internet Services          |   945 |
> 
> | 19444 | CHARTER COMMUNICATIONS             |   845 |
> 
> +-------+------------------------------------+-------+
> 
>  
> 
> Universities, new unique ip last 5 days
> 
> +-------+--------------------------------+-----+
> 
> | asnum | left(asname,30)                | cnt |
> 
> +-------+--------------------------------+-----+
> 
> |    14 | Columbia University            |  93 |
> 
> |     3 | MIT-2 Massachusetts Institute  |  45 |
> 
> |    73 | University of Washington       |  25 |
> 
> |  7925 | West Virginia Network for Educ |  24 |
> 
> |  4385 | RIT-3 Rochester Institute of T |  20 |
> 
> | 23369 | SCOE-5 Sonoma County Office of |  19 |
> 
> |  5078 | Oklahoma Network for Education |  18 |
> 
> |  3388 | UNM University of New Mexico   |  18 |
> 
> |    55 | University of Pennsylvania     |  13 |
> 
> |   159 | The Ohio State University      |  12 |
> 
> |   104 | University of Colorado at Boul |  12 |
> 
> |  4265 | CERFN California Education and |  11 |
> 
> |   693 | University of Notre Dame       |  10 |
> 
> |  2900 | Arizona Tri University Network |   9 |
> 
> |  2637 | Georgia Institute of Technolog |   9 |
> 
> +-------+--------------------------------+-----+
> 
>  
> 
>  
> 
>  
> 
> [1] http://www.ece.gatech.edu/research/labs/MANIACS/as_taxonomy/
> 
>  
> 
>  
> 
>  
> 


-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/

More information about the NANOG mailing list