[anti-abuse-wg] passive botnet tracker
Jan Pieter Cornet johnpc at xs4all.net
Wed Mar 4 10:47:52 CET 2009
On Wed, Mar 04, 2009 at 10:20:06AM +0100, Florian Weimer wrote: > * Alexander K. Seewald: > > > The gist: Based on a darknet (i.e. unused IP addresses), we analyze > > incoming packets and classify them into (currently eight) different > > spambot types based on learned idiosyncrasies of packet and > > protocol, and reference data (currently by Marshall). > > Why do you expect bots to touch dark address space? > > Or put differently, I think any approach based on darkspace monitoring > signficantly restricts the types of bots you can detect. Not if you use "dark" corners of your own PA space, eg unused /28s in your DSL space, or hosting space. -- Jan-Pieter Cornet <johnpc at xs4all.nl> !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !!