[95069] in North American Network Operators' Group
Re: Counting tells you if you are making progress
daemon@ATHENA.MIT.EDU (Todd Vierling)
Wed Feb 21 10:54:45 2007
Date: Wed, 21 Feb 2007 10:53:40 -0500
From: "Todd Vierling" <tv@pobox.com>
To: "Sean Donelan" <sean@donelan.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.64.0702202319200.2548@clifden.donelan.com>
Errors-To: owner-nanog@merit.edu
On 2/21/07, Sean Donelan <sean@donelan.com> wrote:
> Counting IP addresses tends to greatly overestimate and underestimate
> the problem of compromised machines.
>
> It tends to overestimate the problem in networks with large dynamic
> pools of IP addresses as a few compromised machines re-appear across
> multiple IP addresses.
This issue is actually quite large. Cable-based consumer broadband
tends to use DHCP with relatively long leases, so the IPs there don't
change a whole lot. PPPoE DSL-based broadband, however, usually
changes IPs many times a day, as even a small amount of idle time
typically triggers a "disconnect" (and upon reconnect, a new IP is
assigned by whichever PPPoE concentrator "answered the call").
Some DSL providers (*cough*SBCATTBLS*wheeze*) push very hard for the
installation of their specialized connection monitoring software
(whose vendor, if expressed as initials, is also a nickname for a lewd
act ;), which further compounds the problem. That software tries Hard
to keep the connection closed during any idle time, starting up only
on an on-demand basis when socket connection requests occur.
> It tends to underestimate the problem in
> networks with small NAT pools with multiple machines sharing a few IP
> addresses.
This problem is not nearly so huge, as "home networks" are not
particularly common compared to the scale of PPPoE deployment. The
"home network" averages at most 2-3 machines, if that; I've seen
plenty of wireless routers installed for the sole purpose of making it
easier for a single computer to reach the DSL connection at the wall
jack.
I'd say it's severely biased in the overestimation direction -- but
that's not to say it isn't a problem, because zombies Suck.
--
-- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
