Educause Security Discussion mailing list archives
Re: Cyberattacks Down?
From: John Kristoff <jtk () NORTHWESTERN EDU>
Date: Wed, 8 Dec 2004 16:09:49 -0600
On Wed, 8 Dec 2004 15:18:02 -0600 "Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU> wrote:
Our research into IRC botnets over the past 2.5yrs indicates that the number of Trojaned EDU hosts operating within IRC is down from ~9.5% of all compromised IRC bots identified in 2003 to ~2.7% of all compromised IRC bots identified in 2004. ** Based on a sample of ~57K unique compromised hosts in IRC **
That would be good news if it's true, but I'm a bit suspect. First of all, unless you have access to the IRC controller or it's traffic, you likely won't know which hosts are part of the botnet when the info you try to gather from the server is either unavailable, masked or misleading. Second, the percentage of all bots for .edu's are down, but what do the total numbers for .edu's between the two years look like? Is there a rise, fall or no change? Third, as pointed out elsewhere for me, a 57K sample is nothing. There are single botnets that large. Especially when there are estimates of hundreds of thousands of bots active on the net at any one time. In addition, maybe utexas.edu has a much better security staff than the rest of us and what you can see is much less than what many of us less vigilant as you see? However, I don't mean to burst the bubble completely and don't want to imply that this is completely irrelevant data, just very subjective. It does seem that bots do not last long on .edu hosts. Due in large part I suspect to the better than average communication between .edus. In particular, I think most of us have seen at least a few emails from you over the years making sure we know about badness that has found it's way onto our networks and for that we all say thank you! :-)
Perhaps EDUs should be congratulated? EDUs appear to have been working on the problem, has the rest of the Internet?
Yes and yes, but the rest of the Internet is a much bigger place. John ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Cyberattacks Down? Jere Retzer (Dec 07)
- <Possible follow-ups>
- Re: Cyberattacks Down? Jordan Wiens (Dec 08)
- Re: Cyberattacks Down? Barbara Griffith (Dec 08)
- Re: Cyberattacks Down? Cam Beasley, ISO (Dec 08)
- Re: Cyberattacks Down? Joe St Sauver (Dec 08)
- Re: Cyberattacks Down? John Kristoff (Dec 08)
- Re: Cyberattacks Down? Wayne Wilson (Dec 13)
- Re: Cyberattacks Down? Joe St Sauver (Dec 13)