This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] passive botnet tracker
- Previous message (by thread): [anti-abuse-wg] passive botnet tracker
- Next message (by thread): [anti-abuse-wg] how to detect spambots - SPAMTrusted
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
peter h
peter at hk.ipsec.se
Tue Mar 3 22:07:29 CET 2009
On Tuesday 03 March 2009 19.48, Dr. Alexander K. Seewald wrote:
> We've built and run a prototype passive botnet tracking system in
> Austria for the last year. A journal paper is pending and should be
> ready for the conference - hopefully only a week away from the final
> version.
>
> The gist: Based on a darknet (i.e. unused IP addresses), we analyze incoming
> packets and classify them into (currently eight) different spambot types
> based on learned idiosyncrasies of packet and protocol, and
> reference data (currently by Marshall). The system is based on
> machine learning techniques, scales extremely well, and can utilize
> all kinds of reference data. However, to track all spambots worldwide
> (according to ShadowServer's estimates), we need about 1.5 million unused
> IP addresses. In times of IPv4 shortage, that is quite a tall order.
>
> Unfortunately, spammers have not switched to IPv6 yet - in the full
> past year, we could not find a single IPv6 packet originating from a
> spambot. This will probably change in the future, but until we have
> enough sample data to train our models, IPv6 cannot be used reliably.
>
> Lack of reference data (i.e. known botnets, bot types, DDoS/spam
> sending activity etc.) has been our greatest obstacle so far. We
> intend to extend the system towards TCP/IP stack fingerprinting (for
> those bots which have their own stack) and towards true botnet
> tracking (e.g. by analyzing access patterns & timings)
>
> Any comments are welcome. We will try to be at RIPE-58, provided we
> can get a small talking slot there - half an hour should suffice.
>
> Best,
> Alex
Technical analysis is at best a forensic tool, possibly useful when
a spammer has been stand to trial
What we need is legislation and spamhunting, where spamming is made
illegal, no excuses allowed, badly managed computers that is taken over
by spammers should be a crime, and where efforts of the law community
is switched from the which-hunting of perr-to-peer networks to
hunting spam and the assosiated criminality. ISP that does not
prevvent spam and that does not act upon abuse-reports should be
made accountable.
Sorry, bot-analysing is interesting, but it does not (much) prevent the disease.
--
Peter Håkanson
There's never money to do it right, but always money to do it
again ... and again ... and again ... and again.
( Det är billigare att göra rätt. Det är dyrt att laga fel. )
- Previous message (by thread): [anti-abuse-wg] passive botnet tracker
- Next message (by thread): [anti-abuse-wg] how to detect spambots - SPAMTrusted
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]