North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Counting tells you if you are making progress

  • From: Gadi Evron
  • Date: Wed Feb 21 00:54:34 2007

On Wed, 21 Feb 2007, Sean Donelan wrote:
> If you can't measure a problem, its difficult to tell if you are
> making things better or worse.
> On Tue, 20 Feb 2007, Rich Kulawiec wrote:
> > I don't understand why you don't believe those numbers.  The estimates
> > that people are making are based on externally-observed known-hostile
> > behavior by the systems in question: they're sending spam, performing
> > SSH attacks, participating in botnets, controlling botnets, hosting
> > spamvertised web sites, handling phisher DNS, etc.  They're not based
> > on things like mere downloads or similar.  As Joe St. Sauver pointed
> > out to me, "a million compromised systems a day is quite reasonable,
> > actually (you can track it by rsync'ing copies of the CBL and cummulating
> > the dotted quads over time)".
> Counting IP addresses tends to greatly overestimate and underestimate
> the problem of compromised machines.
> It tends to overestimate the problem in networks with large dynamic
> pools of IP addresses as a few compromised machines re-appear across
> multiple IP addresses.  It tends to underestimate the problem in
> networks with small NAT pools with multiple machines sharing a few IP
> addresses. Differences between networks may reflect different address
> pool management algorithms rather than different infection rates.
> How do you measure if changes are actually making a difference?

NAT on the one end, DHCP on the other. Time-based calculations along with
OS/Client fingerprinting often seem to produce interesting results.