[95084] in North American Network Operators' Group
Re: Counting tells you if you are making progress
daemon@ATHENA.MIT.EDU (Todd Vierling)
Mon Feb 26 18:09:09 2007
Date: Fri, 23 Feb 2007 21:37:08 -0500
From: "Todd Vierling" <tv@pobox.com>
To: "Sean Donelan" <sean@donelan.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.64.0702221312400.9172@clifden.donelan.com>
Errors-To: owner-nanog@merit.edu
On 2/22/07, Sean Donelan <sean@donelan.com> wrote:
> On Wed, 21 Feb 2007, Todd Vierling wrote:
> > I'd say it's severely biased in the overestimation direction -- but
> > that's not to say it isn't a problem, because zombies Suck.
>
> People with access to the ppp, dhcp or nat logs for a network can de-dup the
> counts based on IP addresses to come up with better surveys of infected
> computers. They can further correlate the reports with contact
> with the computer owners of how many computers were found with known or unknown
> malware. But we rarely hear data from them.
Because this is a circular problem: such providers want to deny the
problem until there's a sufficient number, and once they take notice,
the de-dup ... reduces the number.
This isn't a technology problem, it's a *business approach* problem.
But now I'm straying OT.
--
-- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
