[90492] in North American Network Operators' Group
Re: Are botnets relevant to NANOG?
daemon@ATHENA.MIT.EDU (Peter Dambier)
Fri May 26 16:10:18 2006
Date: Fri, 26 May 2006 22:09:48 +0200
From: Peter Dambier <peter@peter-dambier.de>
Reply-To: peter@peter-dambier.de
Cc: nanog@merit.edu
In-Reply-To: <200605261936.k4QJawF0024379@atlas.centergate.com>
Errors-To: owner-nanog@merit.edu
John Kristoff wrote:
> On Fri, 26 May 2006 11:50:21 -0700
> Rick Wesson <wessorh@ar.com> wrote:
>
>
>>The longer answer is that we haven't found a reliable way to identify
>>dynamic blocks. Should anyone point me to an authoritative source I'd
>>be happy to do the analysis and provide some graphs on how dynamic
>>addresses effect the numbers.
>
>
> I don't know how effective the dynamic lists maintained by some in
> the anti-spamming community is, you'd probably know better than I,
> but that is one way as decribed in the paper. In the first section
> of the paper I cited they lists three methods they used to try to
> capture stable IP addresses. Summarizing those:
>
> 1. reverse map the IP address and analyze the hostname
> 2. do same for nearby addresses and analyze character difference ratio
> 3. compare active probes of suspect app with icmp echo response
Tool to help you.
Try natnum form the IASON tools.
$ natnum echnaton.serveftp.com
host_look("84.167.246.104","echnaton.serveftp.com","1420293736").
host_name("84.167.246.104","p54A7F668.dip.t-dialin.net").
You can feed natnum a hostname or an ip-address or even a long integer.
If you want to dump an address range use name2pl.
$ name2pl 84.167.246.100 8
host_name("84.167.246.100","p54A7F664.dip.t-dialin.net").
host_name("84.167.246.101","p54A7F665.dip.t-dialin.net").
...
host_name("84.167.246.106","p54A7F66A.dip.t-dialin.net").
host_name("84.167.246.107","p54A7F66B.dip.t-dialin.net").
Dumps you 8 ip-addresses starting from 84.167.246.100.
Without the 8 you will get 256
http://iason.site.voila.fr/
http://www.kokoom.com/
Sorry the sourceforge still gives me hickups :)
Sorry will compile and run on UNIX, BSD, Linux, MAC OS-X only.
>
> None of these will be foolproof and the last one will probably only
> be good for cases where there is a service running where'd you'd
> rather there not be and you can test for it (e.g. open relays).
>
> There was at least one additional reference to related work in that
> paper, which leads to more still, but I'll let those interested to
> do their own research on additional ideas for themselves.
>
>
>>also note that we are using TCP fingerprinting in our spamtraps and
>>expect to have some interesting results published in the august/sept
>>time frame. We won't be able to say that a block is dynamic but we
>>will be able to better understand if we talk to the same spammer from
>>different ip addresses and how often those addresses change.
>
>
> Will look forward to seeing more. Thanks,
>
> John
Kind regards
Peter and Karin
--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter@peter-dambier.de
mail: peter@echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
