North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Are botnets relevant to NANOG?
- From: Peter Dambier
- Date: Fri May 26 16:10:54 2006
John Kristoff wrote:
On Fri, 26 May 2006 11:50:21 -0700
Rick Wesson <email@example.com> wrote:
The longer answer is that we haven't found a reliable way to identify
dynamic blocks. Should anyone point me to an authoritative source I'd
be happy to do the analysis and provide some graphs on how dynamic
addresses effect the numbers.
I don't know how effective the dynamic lists maintained by some in
the anti-spamming community is, you'd probably know better than I,
but that is one way as decribed in the paper. In the first section
of the paper I cited they lists three methods they used to try to
capture stable IP addresses. Summarizing those:
1. reverse map the IP address and analyze the hostname
2. do same for nearby addresses and analyze character difference ratio
3. compare active probes of suspect app with icmp echo response
Tool to help you.
Try natnum form the IASON tools.
$ natnum echnaton.serveftp.com
You can feed natnum a hostname or an ip-address or even a long integer.
If you want to dump an address range use name2pl.
$ name2pl 22.214.171.124 8
Dumps you 8 ip-addresses starting from 126.96.36.199.
Without the 8 you will get 256
Sorry the sourceforge still gives me hickups :)
Sorry will compile and run on UNIX, BSD, Linux, MAC OS-X only.
None of these will be foolproof and the last one will probably only
be good for cases where there is a service running where'd you'd
rather there not be and you can test for it (e.g. open relays).
There was at least one additional reference to related work in that
paper, which leads to more still, but I'll let those interested to
do their own research on additional ideas for themselves.
also note that we are using TCP fingerprinting in our spamtraps and
expect to have some interesting results published in the august/sept
time frame. We won't be able to say that a block is dynamic but we
will be able to better understand if we talk to the same spammer from
different ip addresses and how often those addresses change.
Will look forward to seeing more. Thanks,
Peter and Karin
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)