Are botnets relevant to NANOG?

Valdis.Kletnieks at Valdis.Kletnieks at
Tue May 30 13:27:04 UTC 2006

On Tue, 30 May 2006 10:02:37 BST, Michael.Dillon at said:

> For instance, you only published data for two
> categories of ASN. Where is the tier-1 data?

I suspect that "tier-1" botnet data isn't at all interesting, because
in general, "tier-1" providers have almost no address space containing
the sort of machines that end up in botnets.  For instance, look at AS701

Lots of /24's, but even if you add it all up, barely a single /9 if
that much *total*.  And I bet most of those /24's just have a handful
of routers on them.

> And numbers should cover a 7-day period, not
> 5 days. In addition, for each category you should
> provide a fixed cutoff. The CIDR report shows
> the top 30 ASNs. 

If we're playing the "shame game" the way the CIDR report is, an
interesting metric might be "bots divided by announced address space"
(so for instance AS1312 would have it 6 or 10 bots(*) divided by its
2 /16s).  I wonder if the numbers for "consumer broadband" versus
"universities" will look significantly different when done that way.

(*) Yes, our AS isn't perfectly clean.  We've got a resnet in our
address space, where the best we can do is provide user education and
play whack-a-mole as we find them....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list