nanog mailing list archives
Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry]
From: Rich Kulawiec <rsk () gsp org>
Date: Tue, 20 Feb 2007 11:35:18 -0500
On Mon, Feb 19, 2007 at 02:04:13PM +0000, Simon Waters wrote:
I simply don't believe the higher figures bandied about in the discussion for compromised hosts. Certainly Microsoft's malware team report a high level of trojans around, but they include things like the Jar files downloaded onto many PCs, that attempt to exploit a vulnerability that most people patched several years ago. Simply identifying your computer downloaded (as designed), but didn't run (because it was malformed), malware, isn't an infection, or of especial interest (other than indicating something about the frequency with which webservers attempt to deliver malware).
I don't understand why you don't believe those numbers. The estimates that people are making are based on externally-observed known-hostile behavior by the systems in question: they're sending spam, performing SSH attacks, participating in botnets, controlling botnets, hosting spamvertised web sites, handling phisher DNS, etc. They're not based on things like mere downloads or similar. As Joe St. Sauver pointed out to me, "a million compromised systems a day is quite reasonable, actually (you can track it by rsync'ing copies of the CBL and cummulating the dotted quads over time)". So I'm genuinely baffled. I'd like someone to explain to me why this seems implausible. BTW #1: I'm not asserting that my little January experiment is the basis for such an estimate. It's not. It wasn't intended to be, otherwise I would have used a very different methodology. BTW #2: All of this leaves open an important and likely-unanswerable question: how many systems are compromised but not as yet manifesting any external sign of it? Certainly any competent adversary would hold a considerable fraction of its forces in reserve. (If it were me, that fraction would be at least "the majority".) ---Rsk
Current thread:
- RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] michael.dillon (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Simon Waters (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Roland Dobbins (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Rich Kulawiec (Feb 20)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Gadi Evron (Feb 20)
- Counting tells you if you are making progress Sean Donelan (Feb 20)
- Re: Counting tells you if you are making progress Gadi Evron (Feb 20)
- Re: Counting tells you if you are making progress Todd Vierling (Feb 21)
- Re: Counting tells you if you are making progress Rich Kulawiec (Feb 28)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Simon Waters (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] J. Oquendo (Feb 19)
- <Possible follow-ups>
- RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] michael.dillon (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Roland Dobbins (Feb 19)
- RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Tony Finch (Feb 19)
- RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] michael.dillon (Feb 19)