[anti-abuse-wg] passive botnet tracker

We've built and run a prototype passive botnet tracking system in
Austria for the last year. A journal paper is pending and should be
ready for the conference - hopefully only a week away from the final
version.

The gist: Based on a darknet (i.e. unused IP addresses), we analyze incoming
packets and classify them into (currently eight) different spambot types
based on learned idiosyncrasies of packet and protocol, and
reference data (currently by Marshall). The system is based on
machine learning techniques, scales extremely well, and can utilize
all kinds of reference data. However, to track all spambots worldwide
(according to ShadowServer's estimates), we need about 1.5 million unused
IP addresses. In times of IPv4 shortage, that is quite a tall order.

Unfortunately, spammers have not switched to IPv6 yet - in the full
past year, we could not find a single IPv6 packet originating from a
spambot. This will probably change in the future, but until we have
enough sample data to train our models, IPv6 cannot be used reliably.

Lack of reference data (i.e. known botnets, bot types, DDoS/spam
sending activity etc.) has been our greatest obstacle so far. We
intend to extend the system towards TCP/IP stack fingerprinting (for
those bots which have their own stack) and towards true botnet
tracking (e.g. by analyzing access patterns & timings)

Any comments are welcome. We will try to be at RIPE-58, provided we
can get a small talking slot there - half an hour should suffice.

Best,
  Alex
-- 
Dr. Alexander K. Seewald

Seewald Solutions
www.seewald.at
Tel. +43(664)1106886
Fax. +43(1)2533033/2764