nanog mailing list archives

botnets: web servers, end-systems and Vint Cerf

From: Gadi Evron <ge () linuxbox org>
Date: Thu, 15 Feb 2007 21:54:00 -0600 (CST)


On Thu, 15 Feb 2007 Valdis.Kletnieks () vt edu wrote:

On Thu, 15 Feb 2007 19:02:12 CST, Gadi Evron said:

Many of them are SMTP-based only. IP reputation is very limited still.

Now, all that said, back on "most are broadband users" - no longer
true. Many bots (especially in spam) are now web servers.


I'm willing to bet that most are *still* broadband users.  Quite likely,


Oh, safe bet. :)

even if 100% (yes, *every single last one*) of the "web servers" out there
were botted, that would likely still be less systems than if only 5% of end-user


But not less spam? :)
I seriously doubt more spam is sent from web servers than user systems,
but it's changing. Web servers now play a part which we can notice and
measure.

systems were botted.  Just a little while back, Vint Cerf guesstimated that
there's 140 million botted end user boxes.  Unless 100% of Google's servers
are botted, there's no way there's that many botted servers. :)


I kept quiet on this for a while, but honestly, I appreciate Vint Cerf
mentioning this where he did, and raising awareness among people who can
potentially help us solve the problem of the Internet.

Still, although I kept quiet for a while, us so-called "botnet
experts" gotta ask: where does he get his numbers? I would appreciate some
backing up to these or I'd be forced to call him up on his statement.

My belief is that it is much worse. I am capable of proving only somewhat
worse. His numbers are still staggering so.. where why when how what? (not
necessarily in that order).

So, data please Vint/Google.

And the fact that web servers are getting botted is just the cycle of
reincarnation - it wasn't that long ago that .edu's had a reputation of
getting pwned for the exact same reasons that webservers are targets now:
easy to attack, and usually lots of bang-for-buck in pipe size and similar.


You mean they aren't now? Do we have any EDU admins around who want to
tell us how bad it still is, despite attempts at working on this?

Dorms are basically large honey nets. :)

        Gadi.

Current thread:

RBL for bots? Drew Weaver (Feb 15)
- Re: RBL for bots? Valdis . Kletnieks (Feb 15)
  - Re: RBL for bots? Joel Jaeggli (Feb 15)
    - Re: RBL for bots? Valdis . Kletnieks (Feb 15)
  - Re: RBL for bots? Gadi Evron (Feb 15)
    - Re: RBL for bots? Valdis . Kletnieks (Feb 15)
    - botnets: web servers, end-systems and Vint Cerf Gadi Evron (Feb 15)
    - Re: botnets: web servers, end-systems and Vint Cerf Peter Moody (Feb 15)
    - Re: botnets: web servers, end-systems and Vint Cerf Gadi Evron (Feb 15)
    - Re: botnets: web servers, end-systems and Vint Cerf Rich Kulawiec (Feb 16)
    - rDNS naming David Barak (Feb 20)
    - Re: botnets: web servers, end-systems and Vint Cerf Valdis . Kletnieks (Feb 15)
    - Re: botnets: web servers, end-systems and Vint Cerf Sean Donelan (Feb 16)
    - Re: botnets: web servers, end-systems and Vint Cerf Valdis . Kletnieks (Feb 16)
    - Re: botnets: web servers, end-systems and Vint Cerf Sean Donelan (Feb 16)
    - Re: botnets: web servers, end-systems and Vint Cerf Eric Gauthier (Feb 16)
    - Re: botnets: web servers, end-systems and Vint Cerf Gadi Evron (Feb 16)

(Thread continues...)