[124058] in North American Network Operators' Group
Re: NSP-SEC
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Sun Mar 21 23:59:17 2010
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <60B0F2124D07B942988329B5B7CA393D023F2C88E8@mail2.FireEye.com>
Date: Sun, 21 Mar 2010 23:58:27 -0400
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 21, 2010, at 9:52 PM, Alex Lanstein wrote:
>>>> There is, by the way, no relief from this due to events like the
>>>> recent bust of the Mariposa botnet (13M systems);
>=20
> The public numbers advertised were 13M _IPs_ connecting to a sinkhole =
over more than a month's time. When I've had visibility into other =
large botnets (srizbi, rustock, mega-d), I was consistently seeing a 10 =
to 1 IPs-to-unique-bots count over a time period of a week. Happy to =
make the raw pcap data available to anyone who is curious. The UCSB =
guys showed similar results in their excellent Torpig paper. =
http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf
>=20
> My unscientific finger-in-the-wind would put it at well under 1M when =
you are talking a month and a half of monitoring IP connections.
First, Alex, don't you know all security people are 100% secretive? :)
=20
Back on topic, there is good data out there showing far, far more than 1 =
million hosts on the Internet infected. Hrmm, my first two Google =
searches did not turn anything up. So maybe those security guys are =
being secretive!
--=20
TTFN,
patrick
