[anti-abuse-wg] passive botnet tracker

On Wed, Mar 04, 2009 at 10:20:06AM +0100, Florian Weimer wrote:
> * Alexander K. Seewald:
> 
> > The gist: Based on a darknet (i.e. unused IP addresses), we analyze
> > incoming packets and classify them into (currently eight) different
> > spambot types based on learned idiosyncrasies of packet and
> > protocol, and reference data (currently by Marshall).
> Why do you expect bots to touch dark address space?
Sorry, I did not mean dark address space, but unused IP adresses.
Bots touch this for proliferation purposes.

> Or put differently, I think any approach based on darkspace monitoring
> signficantly restricts the types of bots you can detect.
In last year's project with a small 256 IP darknet, we were able to
detect about half of the spambot types from our reference data very
well. Paper should be ready in a few weeks.

The advantage is that it is a purely passive approach which cannot
be detected (i.e. the unused IP address looks exactly like an unused
IP address - we don't even send out SYN packets like other darknet
approaches), and it tracks the bot's proliferation function which is
primary to their functionality (at least for those parts of the bot
population which proliferate - there might be parts with specialized
functions outside which we would be unable to detect with our
system)

Best,
  Alex
-- 
Dr. Alexander K. Seewald

Seewald Solutions
www.seewald.at
Tel. +43(664)1106886
Fax. +43(1)2533033/2764