[nsp-sec] 1Million Botnet Ips
Scott A. McIntyre
scott at xs4all.net
Sat Jul 5 12:11:05 EDT 2008
On Jul 5, 2008, at 18:08 , Chris Morrow wrote:
>
>
> On Sat, 5 Jul 2008, Scott A. McIntyre wrote:
>
>> ----------- nsp-security Confidential --------
>>
>> Hi,
>>
>> On Jul 5, 2008, at 17:14 , Lawrence Baldwin wrote:
>>
>>> ----------- nsp-security Confidential --------
>>> How can the "count of infected IPs" be > 1 within a /32?
>>> e.g:
>>> 2 | 63.149.54.129/32 | 2008-06-20 01:44:34+02 | 209 |
>>> US |
>>> ASN-QWEST - Qwest
>>
>> NAT.
>>
>>
>> We regularly see the same customer on the same botnet many times
>> due to having multiple infections on the same box, or, NAT, and
>> several systems behind the public-IP all infected (hint: schools.
>> Sigh.)
>
> which you can distinguish based on ip-id inconsistency (sometimes)
> and between cookies in web requests (sometimes)... both aren't 100%
> and depending on where this data came from possibly not relevant :
> ( but...
>
> -Chris
>
Indeed -- sometimes we confront customers with a list of 20 or 30 ip-
id combinations for a single botnet and point out that it either means
one system has Lots of Evil, or, they have a lot of computers which
are infected.
Our high score, I believe, is 2400 infections on one system (give or
take a hundred).
"Hello, helpdesk? My computer is slow...."
Customers. Gotta love 'em!
Regards,
Scott A. McIntyre
XS4ALL Internet B.V.
More information about the nsp-security
mailing list