[124056] in North American Network Operators' Group
RE: NSP-SEC
daemon@ATHENA.MIT.EDU (Alex Lanstein)
Sun Mar 21 21:53:31 2010
From: Alex Lanstein <ALanstein@FireEye.com>
To: Rich Kulawiec <rsk@gsp.org>, "nanog@nanog.org" <nanog@nanog.org>
Date: Sun, 21 Mar 2010 18:52:53 -0700
In-Reply-To: <20100322004346.GA19036@gsp.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>>>________________________________________
>>>From: Rich Kulawiec [rsk@gsp.org]
>>>Sent: Sunday, March 21, 2010 8:43 PM
>>>To: nanog@nanog.org
>>>Subject: Re: NSP-SEC
>>>
>>>There is, by the way, no relief from this due to events like the
>>>recent bust of the Mariposa botnet (13M systems);
The public numbers advertised were 13M _IPs_ connecting to a sinkhole over =
more than a month's time. When I've had visibility into other large botnet=
s (srizbi, rustock, mega-d), I was consistently seeing a 10 to 1 IPs-to-uni=
que-bots count over a time period of a week. Happy to make the raw pcap da=
ta available to anyone who is curious. The UCSB guys showed similar result=
s in their excellent Torpig paper. http://www.cs.ucsb.edu/~seclab/projects=
/torpig/torpig.pdf
My unscientific finger-in-the-wind would put it at well under 1M when you a=
re talking a month and a half of monitoring IP connections.
Regards,
Alex Lanstein
