Counting tells you if you are making progress
Gadi Evron
ge at linuxbox.org
Wed Feb 21 05:42:13 UTC 2007
On Wed, 21 Feb 2007, Sean Donelan wrote:
>
>
> If you can't measure a problem, its difficult to tell if you are
> making things better or worse.
>
> On Tue, 20 Feb 2007, Rich Kulawiec wrote:
> > I don't understand why you don't believe those numbers. The estimates
> > that people are making are based on externally-observed known-hostile
> > behavior by the systems in question: they're sending spam, performing
> > SSH attacks, participating in botnets, controlling botnets, hosting
> > spamvertised web sites, handling phisher DNS, etc. They're not based
> > on things like mere downloads or similar. As Joe St. Sauver pointed
> > out to me, "a million compromised systems a day is quite reasonable,
> > actually (you can track it by rsync'ing copies of the CBL and cummulating
> > the dotted quads over time)".
>
> Counting IP addresses tends to greatly overestimate and underestimate
> the problem of compromised machines.
>
> It tends to overestimate the problem in networks with large dynamic
> pools of IP addresses as a few compromised machines re-appear across
> multiple IP addresses. It tends to underestimate the problem in
> networks with small NAT pools with multiple machines sharing a few IP
> addresses. Differences between networks may reflect different address
> pool management algorithms rather than different infection rates.
>
> How do you measure if changes are actually making a difference?
>
NAT on the one end, DHCP on the other. Time-based calculations along with
OS/Client fingerprinting often seem to produce interesting results.
More information about the NANOG
mailing list