[90521] in North American Network Operators' Group
Re: Are botnets relevant to NANOG?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue May 30 09:27:43 2006
To: Michael.Dillon@btradianz.com
Cc: nanog@merit.edu
In-Reply-To: Your message of "Tue, 30 May 2006 10:02:37 BST."
<OF1FB8F284.1910DB20-ON8025717E.0030D63F-8025717E.0031ACFB@btradianz.com>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 30 May 2006 09:27:04 -0400
Errors-To: owner-nanog@merit.edu
--==_Exmh_1148995624_32272P
Content-Type: text/plain; charset=us-ascii
On Tue, 30 May 2006 10:02:37 BST, Michael.Dillon@btradianz.com said:
> For instance, you only published data for two
> categories of ASN. Where is the tier-1 data?
I suspect that "tier-1" botnet data isn't at all interesting, because
in general, "tier-1" providers have almost no address space containing
the sort of machines that end up in botnets. For instance, look at AS701
http://www.cidr-report.org/cgi-bin/as-report?as=AS701&view=4637
Lots of /24's, but even if you add it all up, barely a single /9 if
that much *total*. And I bet most of those /24's just have a handful
of routers on them.
> And numbers should cover a 7-day period, not
> 5 days. In addition, for each category you should
> provide a fixed cutoff. The CIDR report shows
> the top 30 ASNs.
If we're playing the "shame game" the way the CIDR report is, an
interesting metric might be "bots divided by announced address space"
(so for instance AS1312 would have it 6 or 10 bots(*) divided by its
2 /16s). I wonder if the numbers for "consumer broadband" versus
"universities" will look significantly different when done that way.
(*) Yes, our AS isn't perfectly clean. We've got a resnet in our
address space, where the best we can do is provide user education and
play whack-a-mole as we find them....
--==_Exmh_1148995624_32272P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFEfEgocC3lWbTT17ARAvOIAJ9JBQjnnH3FSXBLg1QRZJL1B1tU8QCg7Xh1
pPqVSHfs8eE5Eas0SSgrvRE=
=EcG/
-----END PGP SIGNATURE-----
--==_Exmh_1148995624_32272P--
