On Tue, 30 May 2006 10:02:37 BST, Michael.Dillon@btradianz.com said:
For instance, you only published data for two categories of ASN. Where is the tier-1 data?
I suspect that "tier-1" botnet data isn't at all interesting, because in general, "tier-1" providers have almost no address space containing the sort of machines that end up in botnets. For instance, look at AS701 http://www.cidr-report.org/cgi-bin/as-report?as=AS701&view=4637 Lots of /24's, but even if you add it all up, barely a single /9 if that much *total*. And I bet most of those /24's just have a handful of routers on them.
And numbers should cover a 7-day period, not 5 days. In addition, for each category you should provide a fixed cutoff. The CIDR report shows the top 30 ASNs.
If we're playing the "shame game" the way the CIDR report is, an interesting metric might be "bots divided by announced address space" (so for instance AS1312 would have it 6 or 10 bots(*) divided by its 2 /16s). I wonder if the numbers for "consumer broadband" versus "universities" will look significantly different when done that way. (*) Yes, our AS isn't perfectly clean. We've got a resnet in our address space, where the best we can do is provide user education and play whack-a-mole as we find them....