Educause Security Discussion mailing list archives

Re: Cyberattacks Down?

From: John Kristoff <jtk () NORTHWESTERN EDU>
Date: Wed, 8 Dec 2004 16:09:49 -0600

On Wed, 8 Dec 2004 15:18:02 -0600
"Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU> wrote:

Our research into IRC botnets over the past 2.5yrs
indicates that the number of Trojaned EDU hosts
operating within IRC is down from ~9.5% of all
compromised IRC bots identified in 2003 to ~2.7%
of all compromised IRC bots identified in 2004.
** Based on a sample of ~57K unique compromised
   hosts in IRC **


That would be good news if it's true, but I'm a bit suspect.  First of
all, unless you have access to the IRC controller or it's traffic, you
likely won't know which hosts are part of the botnet when the info you
try to gather from the server is either unavailable, masked or misleading.
Second, the percentage of all bots for .edu's are down, but what do the
total numbers for .edu's between the two years look like?  Is there a
rise, fall or no change?  Third, as pointed out elsewhere for me, a 57K
sample is nothing.  There are single botnets that large.  Especially
when there are estimates of hundreds of thousands of bots active on the
net at any one time.

In addition, maybe utexas.edu has a much better security staff than the
rest of us and what you can see is much less than what many of us less
vigilant as you see?

However, I don't mean to burst the bubble completely and don't want to
imply that this is completely irrelevant data, just very subjective.
It does seem that bots do not last long on .edu hosts.  Due in large
part I suspect to the better than average communication between .edus.
In particular, I think most of us have seen at least a few emails from
you over the years making sure we know about badness that has found it's
way onto our networks and for that we all say thank you!  :-)

Perhaps EDUs should be congratulated?  EDUs
appear to have been working on the problem,
has the rest of the Internet?


Yes and yes, but the rest of the Internet is a much bigger place.

John

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Cyberattacks Down? Jere Retzer (Dec 07)
- <Possible follow-ups>
- Re: Cyberattacks Down? Jordan Wiens (Dec 08)
- Re: Cyberattacks Down? Barbara Griffith (Dec 08)
- Re: Cyberattacks Down? Cam Beasley, ISO (Dec 08)
- Re: Cyberattacks Down? Joe St Sauver (Dec 08)
- Re: Cyberattacks Down? John Kristoff (Dec 08)
- Re: Cyberattacks Down? Wayne Wilson (Dec 13)
- Re: Cyberattacks Down? Joe St Sauver (Dec 13)