nanog mailing list archives
Counting tells you if you are making progress
From: Sean Donelan <sean () donelan com>
Date: Wed, 21 Feb 2007 00:31:30 -0500 (EST)
If you can't measure a problem, its difficult to tell if you are making things better or worse. On Tue, 20 Feb 2007, Rich Kulawiec wrote:
I don't understand why you don't believe those numbers. The estimates that people are making are based on externally-observed known-hostile behavior by the systems in question: they're sending spam, performing SSH attacks, participating in botnets, controlling botnets, hosting spamvertised web sites, handling phisher DNS, etc. They're not based on things like mere downloads or similar. As Joe St. Sauver pointed out to me, "a million compromised systems a day is quite reasonable, actually (you can track it by rsync'ing copies of the CBL and cummulating the dotted quads over time)".
Counting IP addresses tends to greatly overestimate and underestimate the problem of compromised machines. It tends to overestimate the problem in networks with large dynamic pools of IP addresses as a few compromised machines re-appear across multiple IP addresses. It tends to underestimate the problem in networks with small NAT pools with multiple machines sharing a few IP addresses. Differences between networks may reflect different address pool management algorithms rather than different infection rates. How do you measure if changes are actually making a difference?
Current thread:
- RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] michael.dillon (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Simon Waters (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Roland Dobbins (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Rich Kulawiec (Feb 20)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Gadi Evron (Feb 20)
- Counting tells you if you are making progress Sean Donelan (Feb 20)
- Re: Counting tells you if you are making progress Gadi Evron (Feb 20)
- Re: Counting tells you if you are making progress Todd Vierling (Feb 21)
- Re: Counting tells you if you are making progress Rich Kulawiec (Feb 28)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Simon Waters (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] J. Oquendo (Feb 19)
- <Possible follow-ups>
- RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] michael.dillon (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Roland Dobbins (Feb 19)
- RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Tony Finch (Feb 19)
- RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] michael.dillon (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Fergie (Feb 20)