Are botnets relevant to NANOG?

In recent discussions about botnets, some people maintained
that botnets (and viruses and worms) are really not a relevant
topic for NANOG discussion and are not something that we
should be worried about. I think that the CSI and FBI would
disagree with that.

In a press release announcing the last CSI/FBI survey
http://www.gocsi.com/press/20050714.jhtml
the following statement appears:

Highlights of the 2005 Computer Crime and Security Survey include:

  - The total dollar amount of financial losses resulting from
    security breaches is decreasing, with an average loss of
    $204,000 per respondent-down 61 percent from last year's
    average loss of $526,000.
  - Virus attacks continue as the source of the greatest
    financial losses, accounting for 32 percent of the
    overall losses reported.
  - Unauthorized access showed a dramatic increase and
    replaced denial of service as the second most significant
    contributor to computer crime losses, accounting for
    24 percent of overall reported losses, and showing
    a significant increase in average dollar loss.

So where do botnets come in? First of all, botnets are
used to distribute viruses, the largest source of
financial losses. Second, botnets are built on what
the CSI calls "unauthorised access", the second largest
source of loss. And denial of service, which used to
be the 2nd largest, is also something that botnets do.

Now NANOG members cannot change OS security, they can't
change corporate security practices, but they can have
an impact on botnets because this is where the nefarious
activity meets the network.

Therefore, I conclude that discussions of botnets do
belong on the NANOG list as long as the NANOG list is
not used as a primary venue for discussing them.

One thing that surveys, such as the CSI/FBI Security
Survey, cannot do well is to measure the impact of
botnet researchers and the people who attempt to shut
down botnets. It's similar to the fight against terrorism.
I know that there have been 2 terrorist attacks on
London since 9/11 but I don't know HOW MANY ATTACKS
HAVE BEEN THWARTED. At least two have been publicised
but there could be dozens more.

Cleaning up botnets is rather like fighting terrorism.
At the end, you have nothing to show for it. No news
coverage, no big heaps of praise. Most people aren't
sure there was ever a problem to begin with. That doesn't
mean that the work should stop or that network providers
should withold their support for cleaning up the
botnet problem.

In recent discussions about botnets, some people maintained
that botnets (and viruses and worms) are really not a relevant
topic for NANOG discussion and are not something that we
should be worried about. I think that the CSI and FBI would disagree with that.

Some people need whatever bandwidth they can get for ranting.
Of course routing reports, virus reports and botnet bgp statistics
take away a lot of valuable bandwidth that could otherwise be used
for nagging. On the other hand without Gadi's howling for the
wolves those wolves might be lost species and without the wolves
all the nagging and ranting would make less fun.

Now NANOG members cannot change OS security, they can't
change corporate security practices, but they can have an impact on botnets because this is where the nefarious
activity meets the network.

They can. All you have to do is look for free software and
join the devellopers or the testers or report whatever you
have found out.

When working for Exodus and GLC I have seen I could change
security practices. I was working in London, Munich and
Frankfurt NOCs.

Sorry I did not know about NANOG that time. It would have
made my live a lot more interesting.

Therefore, I conclude that discussions of botnets do belong on the NANOG list as long as the NANOG list is
not used as a primary venue for discussing them.

Botnets are networks. We should have the network operators
on the NANOG list. (I am afraid we do already have them

One thing that surveys, such as the CSI/FBI Security
Survey, cannot do well is to measure the impact of botnet researchers and the people who attempt to shut
down botnets. It's similar to the fight against terrorism.
I know that there have been 2 terrorist attacks on
London since 9/11 but I don't know HOW MANY ATTACKS
HAVE BEEN THWARTED. At least two have been publicised but there could be dozens more.

Cleaning up botnets is rather like fighting terrorism.
At the end, you have nothing to show for it. No news
coverage, no big heaps of praise. Most people aren't
sure there was ever a problem to begin with. That doesn't
mean that the work should stop or that network providers
should withold their support for cleaning up the
botnet problem.

Maybe it is high time for a transparent frog. Invisible
for secure systems but as soon as one of the bots tries
to infect it, it will ...

In case you are not Gadi or working for Gadi, feel free
to ignore the tranparent frog. I have never met one

Cheers
Peter and Karin

Some people need whatever bandwidth they can get for ranting.
Of course routing reports, virus reports and botnet bgp statistics
take away a lot of valuable bandwidth that could otherwise be used
for nagging. On the other hand without Gadi's howling for the
wolves those wolves might be lost species and without the wolves
all the nagging and ranting would make less fun.

lets see, should we be concerned? here are a few interesting tables, the cnt column is new IP addresses we have seen in the last 5 days. The first table is Tier-2 ASNs as classified by Fontas's ASN Taxonomy paper [1] The second table is Universities. The ASN concerned are just in the announced by orgs in USA as to imply that they should be on NANOG.

Let me say it again the counts are NEW observations in the last 5 days. also note I'm not Gati, and I've got much more data on everyones networks.

-rick

New compromised unique IP addresses (last 5 days) Tier-2 ASN

Hi Rick,

What I'd be curious to know in the numbers being thrown around if there
has been any accounting of transient address usage. Since I'm spending
an awful lot of time with DNS these days, I'll actually provide a cite
related to that (and not simply suggest you just quote me :-). See
sections 3.3.2 and 4.4 of the following:

  Availability, Usage and Deployment Characteristics of the Domain Name
  System, Internet Measurement Conference 2004, J. Pang, et. al

At some point transient address pools are limited and presumably so
are the possible numbers of new bots, particularly within netblocks.
Is there any accounting for that? Shouldn't there be? What will the
effect of doing that be on the numbers?

John

John,

The short answer is no.

The longer answer is that we haven't found a reliable way to identify dynamic blocks. Should anyone point me to an authoritative source I'd be happy to do the analysis and provide some graphs on how dynamic addresses effect the numbers.

also note that we are using TCP fingerprinting in our spamtraps and expect to have some interesting results published in the august/sept time frame. We won't be able to say that a block is dynamic but we will be able to better understand if we talk to the same spammer from different ip addresses and how often those addresses change.

I believe that understanding our tcp fingerprinting of spam senders might be more interesting and relevant to NANOG than how dynamic address assignments discounts the numbers i posted earlier.

-rick

John Kristoff wrote:

The longer answer is that we haven't found a reliable way to identify
dynamic blocks. Should anyone point me to an authoritative source I'd
be happy to do the analysis and provide some graphs on how dynamic
addresses effect the numbers.

I don't know how effective the dynamic lists maintained by some in
the anti-spamming community is, you'd probably know better than I,
but that is one way as decribed in the paper. In the first section
of the paper I cited they lists three methods they used to try to
capture stable IP addresses. Summarizing those:

  1. reverse map the IP address and analyze the hostname
  2. do same for nearby addresses and analyze character difference ratio
  3. compare active probes of suspect app with icmp echo response

None of these will be foolproof and the last one will probably only
be good for cases where there is a service running where'd you'd
rather there not be and you can test for it (e.g. open relays).

There was at least one additional reference to related work in that
paper, which leads to more still, but I'll let those interested to
do their own research on additional ideas for themselves.

also note that we are using TCP fingerprinting in our spamtraps and
expect to have some interesting results published in the august/sept
time frame. We won't be able to say that a block is dynamic but we
will be able to better understand if we talk to the same spammer from
different ip addresses and how often those addresses change.

Will look forward to seeing more. Thanks,

John

John Kristoff wrote:

The longer answer is that we haven't found a reliable way to identify dynamic blocks. Should anyone point me to an authoritative source I'd
be happy to do the analysis and provide some graphs on how dynamic addresses effect the numbers.

I don't know how effective the dynamic lists maintained by some in
the anti-spamming community is, you'd probably know better than I,
but that is one way as decribed in the paper. In the first section
of the paper I cited they lists three methods they used to try to
capture stable IP addresses. Summarizing those:

  1. reverse map the IP address and analyze the hostname
  2. do same for nearby addresses and analyze character difference ratio
  3. compare active probes of suspect app with icmp echo response

Tool to help you.
Try natnum form the IASON tools.

  $ natnum echnaton.serveftp.com

host_look("84.167.246.104","echnaton.serveftp.com","1420293736").
host_name("84.167.246.104","p54A7F668.dip.t-dialin.net").

You can feed natnum a hostname or an ip-address or even a long integer.

If you want to dump an address range use name2pl.

  $ name2pl 84.167.246.100 8

host_name("84.167.246.100","p54A7F664.dip.t-dialin.net").
host_name("84.167.246.101","p54A7F665.dip.t-dialin.net").
...
host_name("84.167.246.106","p54A7F66A.dip.t-dialin.net").
host_name("84.167.246.107","p54A7F66B.dip.t-dialin.net").

Dumps you 8 ip-addresses starting from 84.167.246.100.
Without the 8 you will get 256

http://iason.site.voila.fr/
http://www.kokoom.com/

Sorry the sourceforge still gives me hickups
Sorry will compile and run on UNIX, BSD, Linux, MAC OS-X only.

None of these will be foolproof and the last one will probably only
be good for cases where there is a service running where'd you'd
rather there not be and you can test for it (e.g. open relays).

There was at least one additional reference to related work in that
paper, which leads to more still, but I'll let those interested to
do their own research on additional ideas for themselves.

also note that we are using TCP fingerprinting in our spamtraps and expect to have some interesting results published in the august/sept time frame. We won't be able to say that a block is dynamic but we
will be able to better understand if we talk to the same spammer from different ip addresses and how often those addresses change.

Will look forward to seeing more. Thanks,

John

Kind regards
Peter and Karin

I worked with Adlex to update their software to identify and track dynamic
addresses associated with subscriber RADIUS information. At the time,
Adlex (now CompuWare) was the only off-the-shelf software that matched
unique subscriber RADIUS instead of just IP address. It is behavior based,
so not absolutely 100% accurate, but it is useful for long term trending
"bot-like" unique subscribers instead of dynamic IP addresses. I presented
some public numbers at an NSP-SEC BOF. There is a large difference
between the number of unique subscribers versus the number of dynamic IP
addresses detected by various public detectors.

http://www.compuware.com/products/vantage/4920_ENG_HTML.htm

Sean Donelan wrote:

[top-posting]

Time differentials, time-limiting, proxies and NATs, dynamic addresses,
different malware, different OS, etc. are all things taken into acount. At
some point you just need to have a best guess..

When the situation was by far less horrible, the numbers still didn't
matter.

Wasn't it your countrymen who said why should you need to be able to
destroy the world a thousand times over when once is more than enough? I
think 3 times for redundancy sounds like fun.

The numbers are for years now not relevant. I often count active groups,
active attacks per time-frame, money made/lost and number of user ID's
compromised / sites targetted.

  Gadi.

Sean Donelan wrote:
>
>>What I'd be curious to know in the numbers being thrown around if there
>>has been any accounting of transient address usage. Since I'm spending
>
>
> I worked with Adlex to update their software to identify and track dynamic
> addresses associated with subscriber RADIUS information. At the time,
> Adlex (now CompuWare) was the only off-the-shelf software that matched
> unique subscriber RADIUS instead of just IP address. It is behavior based,
> so not absolutely 100% accurate, but it is useful for long term trending
> "bot-like" unique subscribers instead of dynamic IP addresses. I presented
> some public numbers at an NSP-SEC BOF. There is a large difference
> between the number of unique subscribers versus the number of dynamic IP
> addresses detected by various public detectors.
>
> http://www.compuware.com/products/vantage/4920_ENG_HTML.htm

Just an afterthought, traceroute and take the final router. I guess for
aDSL home users you will find some 8 or 11 routers in germany. My final
router never changes. Of course there can hide more than one bad guy
behind that router.

Actually, some anti spam veterns keep lists of dynamic blocks as negative
scoring marks in their filters. I still believe that even ignoring those
the numbers are still too high.

I honestly want to know why a precise number matters? It will only be
higher than our facts based upon our different observation points.

  Gadi.

http://www.nytimes.com/2006/05/30/us/30identity.html
  Credit card companies point to new monitoring systems that have reduced
  loss from fraud as a percentage of overall transaction volume. At Visa,
  fraud accounted for 7 cents per $100 in transactions, down from 18 cents
  per $100 in 1990. "We could have a system reducing fraud to zero basis
  points, but it wouldn't meet what consumers are demanding," said Rosetta
  Jones, a Visa spokeswoman. "We need to deliver what consumers want in a
  way that is secure."

Zero is probably a bit too optimistic, but the idea is the same.