[Dshield] Botnet Map

Tomas L. Byrnes tomb at byrneit.net
Wed May 14 03:39:10 GMT 2008

The host IPs are dynamic, but research shows the C&Cs are pretty
long-lived. According to published research, bots flux fast, but C&Cs
have an average half-life of 50 days.

We're putting up a new feature on the ThreatSTOP public site called
"check your logs" where you can put in any list of IP addresses and see
if they're in any threat feeds we use and propagate.

Currently, those are:



Private SSH Cracker and Messenger SPAM

TQM3 (we will be deprecating due to non-maintenance)

Soon to come:

Cyber-TA/SRI Malware Threat Center


Hijacked Prefixes as concorded by PHAS and IAR

Advertised Bogons

Cymru Bogons

So, you can paste the lsits you see, and see who they are :-)

Subscribers get reports correlating their logs with the feeds, as well
as dynamic blocking based on them.

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of 
> aihomes at comcast.net
> Sent: Tuesday, May 13, 2008 4:44 AM
> To: DShield Discussion List
> Subject: [Dshield] Botnet Map
> http://www.csoonline.com/article/348317/What_a_Botnet_Looks_Like
> Really interesting diagram...I wonder how accurate the IP 
> address and host name info is...any thoughts?
> Egan
> Sent from my BlackBerry(r) wireless handheld
> _________________________________________
> SANSFIRE !! The Internet Storm Center Conference 
> http://www.sans.org/sansfire08/

More information about the list mailing list