This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] passive botnet tracker
- Previous message (by thread): [anti-abuse-wg] passive botnet tracker
- Next message (by thread): [anti-abuse-wg] passive botnet tracker
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dr. Alexander K. Seewald
alex at seewald.at
Wed Mar 4 12:13:34 CET 2009
On Wed, Mar 04, 2009 at 11:12:35AM +0100, Florian Weimer wrote: > There seems to be an underlying assumption that all bots gather > information through scanning (possibly neighboring) addresses, but > this is simply not true. No, we have collected about twelve months traffic from four /26 subnets and were able to recognize about half of the spambots from single packet data alone using a machine learnin system trained on packet features (excluding obvious correlations such as TCP source port). We suspect this is due to non-random ICMP payloads, TCP option ordering and UDP payloads. There is no compelling reason for this data to be there, we were as surprised as you seem to be. Best, Alex -- Dr. Alexander K. Seewald Seewald Solutions www.seewald.at Tel. +43(664)1106886 Fax. +43(1)2533033/2764
- Previous message (by thread): [anti-abuse-wg] passive botnet tracker
- Next message (by thread): [anti-abuse-wg] passive botnet tracker
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]