nanog mailing list archives
Re: Counting tells you if you are making progress
From: "Todd Vierling" <tv () pobox com>
Date: Wed, 21 Feb 2007 10:53:40 -0500
On 2/21/07, Sean Donelan <sean () donelan com> wrote:
Counting IP addresses tends to greatly overestimate and underestimate the problem of compromised machines. It tends to overestimate the problem in networks with large dynamic pools of IP addresses as a few compromised machines re-appear across multiple IP addresses.
This issue is actually quite large. Cable-based consumer broadband tends to use DHCP with relatively long leases, so the IPs there don't change a whole lot. PPPoE DSL-based broadband, however, usually changes IPs many times a day, as even a small amount of idle time typically triggers a "disconnect" (and upon reconnect, a new IP is assigned by whichever PPPoE concentrator "answered the call"). Some DSL providers (*cough*SBCATTBLS*wheeze*) push very hard for the installation of their specialized connection monitoring software (whose vendor, if expressed as initials, is also a nickname for a lewd act ;), which further compounds the problem. That software tries Hard to keep the connection closed during any idle time, starting up only on an on-demand basis when socket connection requests occur.
It tends to underestimate the problem in networks with small NAT pools with multiple machines sharing a few IP addresses.
This problem is not nearly so huge, as "home networks" are not particularly common compared to the scale of PPPoE deployment. The "home network" averages at most 2-3 machines, if that; I've seen plenty of wireless routers installed for the sole purpose of making it easier for a single computer to reach the DSL connection at the wall jack. I'd say it's severely biased in the overestimation direction -- but that's not to say it isn't a problem, because zombies Suck. -- -- Todd Vierling <tv () duh org> <tv () pobox com> <todd () vierling name>
Current thread:
- RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] michael.dillon (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Simon Waters (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Roland Dobbins (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Rich Kulawiec (Feb 20)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Gadi Evron (Feb 20)
- Counting tells you if you are making progress Sean Donelan (Feb 20)
- Re: Counting tells you if you are making progress Gadi Evron (Feb 20)
- Re: Counting tells you if you are making progress Todd Vierling (Feb 21)
- Re: Counting tells you if you are making progress Rich Kulawiec (Feb 28)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Simon Waters (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] J. Oquendo (Feb 19)
- <Possible follow-ups>
- RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] michael.dillon (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Roland Dobbins (Feb 19)
- RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Tony Finch (Feb 19)
- RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] michael.dillon (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Fergie (Feb 20)