nanog mailing list archives

Re: NSP-SEC


From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Sun, 21 Mar 2010 23:58:27 -0400

On Mar 21, 2010, at 9:52 PM, Alex Lanstein wrote:

There is, by the way, no relief from this due to events like the
recent bust of the Mariposa botnet (13M systems);

The public numbers advertised were 13M _IPs_ connecting to a sinkhole over more than a month's time.  When I've had 
visibility into other large botnets (srizbi, rustock, mega-d), I was consistently seeing a 10 to 1 IPs-to-unique-bots 
count over a time period of a week.  Happy to make the raw pcap data available to anyone who is curious.  The UCSB 
guys showed similar results in their excellent Torpig paper.  
http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf

My unscientific finger-in-the-wind would put it at well under 1M when you are talking a month and a half of 
monitoring IP connections.

First, Alex, don't you know all security people are 100% secretive? :)
 
Back on topic, there is good data out there showing far, far more than 1 million hosts on the Internet infected.  Hrmm, 
my first two Google searches did not turn anything up.  So maybe those security guys are being secretive!

-- 
TTFN,
patrick



Current thread: