North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Counting tells you if you are making progress

  • From: Sean Donelan
  • Date: Wed Feb 21 00:37:57 2007

If you can't measure a problem, its difficult to tell if you are
making things better or worse.

On Tue, 20 Feb 2007, Rich Kulawiec wrote:
I don't understand why you don't believe those numbers.  The estimates
that people are making are based on externally-observed known-hostile
behavior by the systems in question: they're sending spam, performing
SSH attacks, participating in botnets, controlling botnets, hosting
spamvertised web sites, handling phisher DNS, etc.  They're not based
on things like mere downloads or similar.  As Joe St. Sauver pointed
out to me, "a million compromised systems a day is quite reasonable,
actually (you can track it by rsync'ing copies of the CBL and cummulating
the dotted quads over time)".

Counting IP addresses tends to greatly overestimate and underestimate the problem of compromised machines.

It tends to overestimate the problem in networks with large dynamic
pools of IP addresses as a few compromised machines re-appear across
multiple IP addresses.  It tends to underestimate the problem in
networks with small NAT pools with multiple machines sharing a few IP
addresses. Differences between networks may reflect different address
pool management algorithms rather than different infection rates.

How do you measure if changes are actually making a difference?