[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NSP-SEC

Subject: NSP-SEC
From: ALanstein at FireEye.com (Alex Lanstein)
Date: Sun, 21 Mar 2010 18:52:53 -0700
In-reply-to: <[email protected]>
References: <[email protected]> <520.1269008366@localhost> <[email protected]>, <[email protected]>

>>>________________________________________
>>>From: Rich Kulawiec [rsk at gsp.org]
>>>Sent: Sunday, March 21, 2010 8:43 PM
>>>To: nanog at nanog.org
>>>Subject: Re: NSP-SEC
>>>
>>>There is, by the way, no relief from this due to events like the
>>>recent bust of the Mariposa botnet (13M systems);

The public numbers advertised were 13M _IPs_ connecting to a sinkhole over more than a month's time.  When I've had visibility into other large botnets (srizbi, rustock, mega-d), I was consistently seeing a 10 to 1 IPs-to-unique-bots count over a time period of a week.  Happy to make the raw pcap data available to anyone who is curious.  The UCSB guys showed similar results in their excellent Torpig paper.  http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf

My unscientific finger-in-the-wind would put it at well under 1M when you are talking a month and a half of monitoring IP connections.

Regards,

Alex Lanstein

Follow-Ups:
- NSP-SEC
  - From: patrick at ianai.net (Patrick W. Gilmore)

References:
- NSP-SEC
  - From: gfortaine at live.com (Guillaume FORTAINE)
- NSP-SEC
  - From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)
- NSP-SEC
  - From: jwbensley at gmail.com (James Bensley)
- NSP-SEC
  - From: rsk at gsp.org (Rich Kulawiec)

Prev by Date: NSP-SEC
Next by Date: NSP-SEC
Previous by thread: NSP-SEC
Next by thread: NSP-SEC
Index(es):
- Date
- Thread