Re: Counting tells you if you are making progress

["Todd Vierling" <tv () pobox com>]

On 2/21/07, Sean Donelan <sean () donelan com> wrote:
> Counting IP addresses tends to greatly overestimate and underestimate
> the problem of compromised machines.
>
> It tends to overestimate the problem in networks with large dynamic
> pools of IP addresses as a few compromised machines re-appear across
> multiple IP addresses.

This issue is actually quite large.  Cable-based consumer broadband
tends to use DHCP with relatively long leases, so the IPs there don't
change a whole lot.  PPPoE DSL-based broadband, however, usually
changes IPs many times a day, as even a small amount of idle time
typically triggers a "disconnect" (and upon reconnect, a new IP is
assigned by whichever PPPoE concentrator "answered the call").

Some DSL providers (*cough*SBCATTBLS*wheeze*) push very hard for the
installation of their specialized connection monitoring software
(whose vendor, if expressed as initials, is also a nickname for a lewd
act ;), which further compounds the problem.  That software tries Hard
to keep the connection closed during any idle time, starting up only
on an on-demand basis when socket connection requests occur.

> It tends to underestimate the problem in
> networks with small NAT pools with multiple machines sharing a few IP
> addresses.

This problem is not nearly so huge, as "home networks" are not
particularly common compared to the scale of PPPoE deployment.  The
"home network" averages at most 2-3 machines, if that; I've seen
plenty of wireless routers installed for the sole purpose of making it
easier for a single computer to reach the DSL connection at the wall
jack.

I'd say it's severely biased in the overestimation direction -- but
that's not to say it isn't a problem, because zombies Suck.

--
-- Todd Vierling <tv () duh org> <tv () pobox com> <todd () vierling name>