This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[anti-abuse-wg] passive botnet tracker

Previous message (by thread): [anti-abuse-wg] passive botnet tracker
Next message (by thread): [anti-abuse-wg] passive botnet tracker

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jan Pieter Cornet johnpc at xs4all.net
Wed Mar 4 10:47:52 CET 2009

On Wed, Mar 04, 2009 at 10:20:06AM +0100, Florian Weimer wrote:
> * Alexander K. Seewald:
> 
> > The gist: Based on a darknet (i.e. unused IP addresses), we analyze
> > incoming packets and classify them into (currently eight) different
> > spambot types based on learned idiosyncrasies of packet and
> > protocol, and reference data (currently by Marshall).
> 
> Why do you expect bots to touch dark address space?
> 
> Or put differently, I think any approach based on darkspace monitoring
> signficantly restricts the types of bots you can detect.

Not if you use "dark" corners of your own PA space, eg unused /28s in
your DSL space, or hosting space.

-- 
Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs.  !!

Previous message (by thread): [anti-abuse-wg] passive botnet tracker
Next message (by thread): [anti-abuse-wg] passive botnet tracker

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ anti-abuse-wg Archives ]