On Tuesday 03 March 2009 19.48, Dr. Alexander K. Seewald wrote:
We've built and run a prototype passive botnet tracking system in Austria for the last year. A journal paper is pending and should be ready for the conference - hopefully only a week away from the final version.
The gist: Based on a darknet (i.e. unused IP addresses), we analyze incoming packets and classify them into (currently eight) different spambot types based on learned idiosyncrasies of packet and protocol, and reference data (currently by Marshall). The system is based on machine learning techniques, scales extremely well, and can utilize all kinds of reference data. However, to track all spambots worldwide (according to ShadowServer's estimates), we need about 1.5 million unused IP addresses. In times of IPv4 shortage, that is quite a tall order.
Unfortunately, spammers have not switched to IPv6 yet - in the full past year, we could not find a single IPv6 packet originating from a spambot. This will probably change in the future, but until we have enough sample data to train our models, IPv6 cannot be used reliably.
Lack of reference data (i.e. known botnets, bot types, DDoS/spam sending activity etc.) has been our greatest obstacle so far. We intend to extend the system towards TCP/IP stack fingerprinting (for those bots which have their own stack) and towards true botnet tracking (e.g. by analyzing access patterns & timings)
Any comments are welcome. We will try to be at RIPE-58, provided we can get a small talking slot there - half an hour should suffice.
Best, Alex
Technical analysis is at best a forensic tool, possibly useful when a spammer has been stand to trial What we need is legislation and spamhunting, where spamming is made illegal, no excuses allowed, badly managed computers that is taken over by spammers should be a crime, and where efforts of the law community is switched from the which-hunting of perr-to-peer networks to hunting spam and the assosiated criminality. ISP that does not prevvent spam and that does not act upon abuse-reports should be made accountable. Sorry, bot-analysing is interesting, but it does not (much) prevent the disease. -- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )