North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
- From: Rich Kulawiec
- Date: Thu Dec 02 17:27:16 2004
On Thu, Dec 02, 2004 at 04:18:52PM -0500, Hannigan, Martin wrote:
> Can you direct me toward a singluar entity of 1MM bots controlled by
> a single master?
Nobody can, except the single master who's in control of same, and
whoever that is -- if there is -- is unlikely to voluntarily share
that information publicly.
That's part of the problem: we know that that are huge numbers of
them. How huge? 10e7 was probably a good estimate early in 2004,
10e8 is starting to look plausible given reported discovery rates.
And the quasi-related problem of spyware/adware is exacerbating it:
it's not like that cruft is exactly fastidious about making sure that
it doesn't open the door to things worse than itself.
We don't know how many there are.
We probably can't know how many there are -- unless they do something
to make themselves noticed, and surely those controlling them are smart
enough to realize this and keep plenty in reserve. We can only know how
many have made themselves visible, and even knowing that's hard.
We don't know who's controlling them: are we up against 10 people or 10,000?
We don't know everything they're doing with them.
We don't know everything they're going to try to do with them.
We don't know where they'll be next: they may move around (thanks to DHCP
and similar), may show up in multiple places (thanks to VPNs) or they
may *really* move around (laptops).
We don't know how many are "server" systems as opposed to end-user systems.
We don't know how to how to keep more from being created.
We don't have a mechanism for un-zombie'ing the ones that already exist
(other than laboriously going after them one at a time).
We don't have a means to keep them from being re-zombied -- just as soon
as the latest IE-bug-of-the-day hits Bugtraq.
We don't have a viable way of controlling their actions other than
disconnecting them entirely: sure, blocking outbound port 25 connections
stops them from attempting spam delivery directly into mail servers, but
surely nobody is so naive as to think those controlling these botnets
are going to shrug their shoulders and give up when that happens?
There are all kinds of other things they could be doing. *Are doing*.
We don't have a clear understanding of who they're being controlled:
are they quasi-autonomous? centrally directed? via a tree structure?
do they "phone home"? are they operating p2p? all of the above?
And so on.
But we darn well should find out.