Re: Counting tells you if you are making progress

[Rich Kulawiec <rsk () gsp org>]

On Wed, Feb 21, 2007 at 12:31:30AM -0500, Sean Donelan wrote:
> Counting IP addresses tends to greatly overestimate and underestimate
> the problem of compromised machines.
>
> It tends to overestimate the problem in networks with large dynamic
> pools of IP addresses as a few compromised machines re-appear across
> multiple IP addresses.  It tends to underestimate the problem in
> networks with small NAT pools with multiple machines sharing a few IP
> addresses. Differences between networks may reflect different address
> pool management algorithms rather than different infection rates.

Yes, but (I think) we already knew that.  If the goal is to provide
a minimum estimate, then we can ignore everything that might cause
an underestimate (such as NAT).  In order to avoid an overestimate,
multiple techniques can be used.  For example, observation from multiple
points over a period of time much shorter than the average IP address
lease time for dynamic pools, use of rDNS to identify static pools,
use of rDNS to identify separate dynamic pools (e.g., a system which
appears today inside hsd1.oh.comcast.net is highly unlike to show up
tomorrow inside hsd1.nj.comcast.net), classification by OS type (which,
BTW, is one way to detect multiple systems behind NAT), and so on.

I think Gadi makes a good point: in one sense, the number doesn't really
matter, because sufficiently clueful attackers can already lay their
hands on enough to mount attacks worth paying attention to.

On the other hand, I still think that it might be worth knowing, because
I think "the fix" (or probably more accurately "fixes") (and this is
optimistically assuming such exist) may well be very different if we
have 50M than if we have 300M on our hands.

---Rsk