On 12-12-14 08:39 AM, Rich Kulawiec wrote:
- Linux systems are not a significant component of botnets. I've been
doing passive OS fingerprinting for most of a decade, and they're in
the noise floor. It's still true now, as it was years ago, that
bot-originated spam comes from Windows systems to about six 9's.
If only that were still true. Sorry Rich.
Compromised Linux machines (mostly servers) are now responsible for ~40%
of all spam.
The actual _count_ of compromised Linux machines is indeed quite low.
Say 62K out of 8.6M observed compromised machines. About .72%. Two 9's ;-)
But prolific?
I have individual IPs out in the wild that have shoved >1M spams into a
single trap in <48 hours. I have a copy of one of these bots. I
periodically run it on a wimpy dual-Atom linux laptop to characterize
what it's sending at the time. It shoves 65 spams per _second_.
Imagine what a real server could do on industrial grade connections.
And the machine owners don't notice!
- Better techniques already exist, such a firewalling outbound port 25
by default and only punching holes for systems that actually need to
send mail. Another example: monitoring the TCP connection rate to
port 25 on remote systems -- spam-senders are likely to push it much
higher than "normal".
Unfortunately,, getting people to deploy those is worse than pulling teeth.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg