In recent discussions about botnets, some people maintained that botnets (and viruses and worms) are really not a relevant topic for NANOG discussion and are not something that we should be worried about. I think that the CSI and FBI would disagree with that. In a press release announcing the last CSI/FBI survey http://www.gocsi.com/press/20050714.jhtml the following statement appears: Highlights of the 2005 Computer Crime and Security Survey include: - The total dollar amount of financial losses resulting from security breaches is decreasing, with an average loss of $204,000 per respondent-down 61 percent from last year's average loss of $526,000. - Virus attacks continue as the source of the greatest financial losses, accounting for 32 percent of the overall losses reported. - Unauthorized access showed a dramatic increase and replaced denial of service as the second most significant contributor to computer crime losses, accounting for 24 percent of overall reported losses, and showing a significant increase in average dollar loss. So where do botnets come in? First of all, botnets are used to distribute viruses, the largest source of financial losses. Second, botnets are built on what the CSI calls "unauthorised access", the second largest source of loss. And denial of service, which used to be the 2nd largest, is also something that botnets do. Now NANOG members cannot change OS security, they can't change corporate security practices, but they can have an impact on botnets because this is where the nefarious activity meets the network. Therefore, I conclude that discussions of botnets do belong on the NANOG list as long as the NANOG list is not used as a primary venue for discussing them. One thing that surveys, such as the CSI/FBI Security Survey, cannot do well is to measure the impact of botnet researchers and the people who attempt to shut down botnets. It's similar to the fight against terrorism. I know that there have been 2 terrorist attacks on London since 9/11 but I don't know HOW MANY ATTACKS HAVE BEEN THWARTED. At least two have been publicised but there could be dozens more. Cleaning up botnets is rather like fighting terrorism. At the end, you have nothing to show for it. No news coverage, no big heaps of praise. Most people aren't sure there was ever a problem to begin with. That doesn't mean that the work should stop or that network providers should withold their support for cleaning up the botnet problem. ------------------------------------------------------- Michael Dillon Capacity Management, 66 Prescot St., London, E1 8HG, UK Mobile: +44 7900 823 672 Internet: michael.dillon@btradianz.com Phone: +44 20 7650 9493 Fax: +44 20 7650 9030 http://www.btradianz.com One Community One Connection One Focus