nanog mailing list archives
Re: NSP-SEC
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Sun, 21 Mar 2010 23:58:27 -0400
On Mar 21, 2010, at 9:52 PM, Alex Lanstein wrote:
There is, by the way, no relief from this due to events like the recent bust of the Mariposa botnet (13M systems);The public numbers advertised were 13M _IPs_ connecting to a sinkhole over more than a month's time. When I've had visibility into other large botnets (srizbi, rustock, mega-d), I was consistently seeing a 10 to 1 IPs-to-unique-bots count over a time period of a week. Happy to make the raw pcap data available to anyone who is curious. The UCSB guys showed similar results in their excellent Torpig paper. http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf My unscientific finger-in-the-wind would put it at well under 1M when you are talking a month and a half of monitoring IP connections.
First, Alex, don't you know all security people are 100% secretive? :) Back on topic, there is good data out there showing far, far more than 1 million hosts on the Internet infected. Hrmm, my first two Google searches did not turn anything up. So maybe those security guys are being secretive! -- TTFN, patrick
Current thread:
- Re: NSP-SEC, (continued)
- Re: NSP-SEC Gadi Evron (Mar 20)
- Re: NSP-SEC William Pitcock (Mar 20)
- Re: NSP-SEC Guillaume FORTAINE (Mar 21)
- Re: NSP-SEC Andrew D Kirch (Mar 21)
- Re: NSP-SEC Sean Donelan (Mar 20)
- Re: NSP-SEC George Imburgia (Mar 20)
- Re: NSP-SEC James Bensley (Mar 21)
- Re: NSP-SEC Rich Kulawiec (Mar 21)
- RE: NSP-SEC Alex Lanstein (Mar 21)
- Re: NSP-SEC Patrick W. Gilmore (Mar 21)
- Re: NSP-SEC Lorand Jakab (Mar 22)
- RE: NSP-SEC Adam Stasiniewicz (Mar 19)
- Re: NSP-SEC Valdis . Kletnieks (Mar 19)
- RE: NSP-SEC David Barak (Mar 19)