[95067] in North American Network Operators' Group
Re: Counting tells you if you are making progress
daemon@ATHENA.MIT.EDU (Gadi Evron)
Wed Feb 21 00:44:38 2007
Date: Tue, 20 Feb 2007 23:42:13 -0600 (CST)
From: Gadi Evron <ge@linuxbox.org>
To: Sean Donelan <sean@donelan.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.64.0702202319200.2548@clifden.donelan.com>
Errors-To: owner-nanog@merit.edu
On Wed, 21 Feb 2007, Sean Donelan wrote:
>
>
> If you can't measure a problem, its difficult to tell if you are
> making things better or worse.
>
> On Tue, 20 Feb 2007, Rich Kulawiec wrote:
> > I don't understand why you don't believe those numbers. The estimates
> > that people are making are based on externally-observed known-hostile
> > behavior by the systems in question: they're sending spam, performing
> > SSH attacks, participating in botnets, controlling botnets, hosting
> > spamvertised web sites, handling phisher DNS, etc. They're not based
> > on things like mere downloads or similar. As Joe St. Sauver pointed
> > out to me, "a million compromised systems a day is quite reasonable,
> > actually (you can track it by rsync'ing copies of the CBL and cummulating
> > the dotted quads over time)".
>
> Counting IP addresses tends to greatly overestimate and underestimate
> the problem of compromised machines.
>
> It tends to overestimate the problem in networks with large dynamic
> pools of IP addresses as a few compromised machines re-appear across
> multiple IP addresses. It tends to underestimate the problem in
> networks with small NAT pools with multiple machines sharing a few IP
> addresses. Differences between networks may reflect different address
> pool management algorithms rather than different infection rates.
>
> How do you measure if changes are actually making a difference?
>
NAT on the one end, DHCP on the other. Time-based calculations along with
OS/Client fingerprinting often seem to produce interesting results.
