nanog mailing list archives
Re: Counting tells you if you are making progress
From: Rich Kulawiec <rsk () gsp org>
Date: Wed, 28 Feb 2007 08:19:06 -0500
On Wed, Feb 21, 2007 at 12:31:30AM -0500, Sean Donelan wrote:
Counting IP addresses tends to greatly overestimate and underestimate the problem of compromised machines. It tends to overestimate the problem in networks with large dynamic pools of IP addresses as a few compromised machines re-appear across multiple IP addresses. It tends to underestimate the problem in networks with small NAT pools with multiple machines sharing a few IP addresses. Differences between networks may reflect different address pool management algorithms rather than different infection rates.
Yes, but (I think) we already knew that. If the goal is to provide a minimum estimate, then we can ignore everything that might cause an underestimate (such as NAT). In order to avoid an overestimate, multiple techniques can be used. For example, observation from multiple points over a period of time much shorter than the average IP address lease time for dynamic pools, use of rDNS to identify static pools, use of rDNS to identify separate dynamic pools (e.g., a system which appears today inside hsd1.oh.comcast.net is highly unlike to show up tomorrow inside hsd1.nj.comcast.net), classification by OS type (which, BTW, is one way to detect multiple systems behind NAT), and so on. I think Gadi makes a good point: in one sense, the number doesn't really matter, because sufficiently clueful attackers can already lay their hands on enough to mount attacks worth paying attention to. On the other hand, I still think that it might be worth knowing, because I think "the fix" (or probably more accurately "fixes") (and this is optimistically assuming such exist) may well be very different if we have 50M than if we have 300M on our hands. ---Rsk
Current thread:
- RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] michael.dillon (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Simon Waters (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Roland Dobbins (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Rich Kulawiec (Feb 20)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Gadi Evron (Feb 20)
- Counting tells you if you are making progress Sean Donelan (Feb 20)
- Re: Counting tells you if you are making progress Gadi Evron (Feb 20)
- Re: Counting tells you if you are making progress Todd Vierling (Feb 21)
- Re: Counting tells you if you are making progress Rich Kulawiec (Feb 28)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Simon Waters (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] J. Oquendo (Feb 19)
- <Possible follow-ups>
- RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] michael.dillon (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Roland Dobbins (Feb 19)
- RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Tony Finch (Feb 19)
- RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] michael.dillon (Feb 19)
- Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry] Fergie (Feb 20)