[95066] in North American Network Operators' Group
Counting tells you if you are making progress
daemon@ATHENA.MIT.EDU (Sean Donelan)
Wed Feb 21 00:33:30 2007
Date: Wed, 21 Feb 2007 00:31:30 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: nanog@merit.edu
In-Reply-To: <20070220163518.GA4351@gsp.org>
Errors-To: owner-nanog@merit.edu
If you can't measure a problem, its difficult to tell if you are
making things better or worse.
On Tue, 20 Feb 2007, Rich Kulawiec wrote:
> I don't understand why you don't believe those numbers. The estimates
> that people are making are based on externally-observed known-hostile
> behavior by the systems in question: they're sending spam, performing
> SSH attacks, participating in botnets, controlling botnets, hosting
> spamvertised web sites, handling phisher DNS, etc. They're not based
> on things like mere downloads or similar. As Joe St. Sauver pointed
> out to me, "a million compromised systems a day is quite reasonable,
> actually (you can track it by rsync'ing copies of the CBL and cummulating
> the dotted quads over time)".
Counting IP addresses tends to greatly overestimate and underestimate
the problem of compromised machines.
It tends to overestimate the problem in networks with large dynamic
pools of IP addresses as a few compromised machines re-appear across
multiple IP addresses. It tends to underestimate the problem in
networks with small NAT pools with multiple machines sharing a few IP
addresses. Differences between networks may reflect different address
pool management algorithms rather than different infection rates.
How do you measure if changes are actually making a difference?
