Counting tells you if you are making progress

• From: Sean Donelan
• Date: Wed Feb 21 00:37:57 2007

If you can't measure a problem, its difficult to tell if you are
making things better or worse.

I don't understand why you don't believe those numbers.  The estimates
that people are making are based on externally-observed known-hostile
behavior by the systems in question: they're sending spam, performing
SSH attacks, participating in botnets, controlling botnets, hosting
spamvertised web sites, handling phisher DNS, etc.  They're not based
on things like mere downloads or similar.  As Joe St. Sauver pointed
out to me, "a million compromised systems a day is quite reasonable,
actually (you can track it by rsync'ing copies of the CBL and cummulating
the dotted quads over time)".

Counting IP addresses tends to greatly overestimate and underestimate
the problem of compromised machines.

It tends to overestimate the problem in networks with large dynamic
pools of IP addresses as a few compromised machines re-appear across
multiple IP addresses.  It tends to underestimate the problem in
networks with small NAT pools with multiple machines sharing a few IP
addresses. Differences between networks may reflect different address
pool management algorithms rather than different infection rates.

• Follow-Ups:
  • Re: Counting tells you if you are making progress Rich Kulawiec
  • Re: Counting tells you if you are making progress Gadi Evron

• References:
  • RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] michael.dillon
  • Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Simon Waters
  • Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Rich Kulawiec

• Prev by Date: Re: Interland dead?
• Next by Date: Re: Counting tells you if you are making progress
• Date Index
• Thread Index
• Author Index
• Historical