[94970] in North American Network Operators' Group
Re: RBL for bots?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Feb 15 22:42:15 2007
To: Gadi Evron <ge@linuxbox.org>
Cc: Drew Weaver <drew.weaver@thenap.com>, nanog@merit.edu
In-Reply-To: Your message of "Thu, 15 Feb 2007 19:02:12 CST."
<Pine.LNX.4.21.0702151859060.4861-100000@linuxbox.org>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 15 Feb 2007 22:41:10 -0500
Errors-To: owner-nanog@merit.edu
--==_Exmh_1171597270_6166P
Content-Type: text/plain; charset=us-ascii
On Thu, 15 Feb 2007 19:02:12 CST, Gadi Evron said:
> Many of them are SMTP-based only. IP reputation is very limited still.
>
> Now, all that said, back on "most are broadband users" - no longer
> true. Many bots (especially in spam) are now web servers.
I'm willing to bet that most are *still* broadband users. Quite likely,
even if 100% (yes, *every single last one*) of the "web servers" out there
were botted, that would likely still be less systems than if only 5% of end-user
systems were botted. Just a little while back, Vint Cerf guesstimated that
there's 140 million botted end user boxes. Unless 100% of Google's servers
are botted, there's no way there's that many botted servers. :)
And the fact that web servers are getting botted is just the cycle of
reincarnation - it wasn't that long ago that .edu's had a reputation of
getting pwned for the exact same reasons that webservers are targets now:
easy to attack, and usually lots of bang-for-buck in pipe size and similar.
--==_Exmh_1171597270_6166P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFF1SfWcC3lWbTT17ARAolSAKDklvf5oDMmK06ouxlfqCqOxW0yxACfQ+Kl
ASsxpbqgR0z/fusXZ4MaR7o=
=e2ol
-----END PGP SIGNATURE-----
--==_Exmh_1171597270_6166P--
