[nsp-sec] 1Million Botnet Ips
Chris Morrow
morrowc at ops-netman.net
Sat Jul 5 12:08:28 EDT 2008
On Sat, 5 Jul 2008, Scott A. McIntyre wrote:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> On Jul 5, 2008, at 17:14 , Lawrence Baldwin wrote:
>
>> ----------- nsp-security Confidential --------
>>
>> How can the "count of infected IPs" be > 1 within a /32?
>>
>> e.g:
>> 2 | 63.149.54.129/32 | 2008-06-20 01:44:34+02 | 209 | US |
>> ASN-QWEST - Qwest
>
> NAT.
>
>
> We regularly see the same customer on the same botnet many times due to
> having multiple infections on the same box, or, NAT, and several systems
> behind the public-IP all infected (hint: schools. Sigh.)
which you can distinguish based on ip-id inconsistency (sometimes) and
between cookies in web requests (sometimes)... both aren't 100% and
depending on where this data came from possibly not relevant :( but...
-Chris
More information about the nsp-security
mailing list