On Wed, 21 Feb 2007, Sean Donelan wrote:
>
>
> If you can't measure a problem, its difficult to tell
if you are
> making things better or worse.
>
> On Tue, 20 Feb 2007, Rich Kulawiec wrote:
> > I don't understand why you don't believe those
numbers. The estimates
> > that people are making are based on
externally-observed known-hostile
> > behavior by the systems in question: they're
sending spam, performing
> > SSH attacks, participating in botnets, controlling
botnets, hosting
> > spamvertised web sites, handling phisher DNS, etc.
They're not based
> > on things like mere downloads or similar. As Joe
St. Sauver pointed
> > out to me, "a million compromised systems a
day is quite reasonable,
> > actually (you can track it by rsync'ing copies of
the CBL and cummulating
> > the dotted quads over time)".
>
> Counting IP addresses tends to greatly overestimate and
underestimate
> the problem of compromised machines.
>
> It tends to overestimate the problem in networks with
large dynamic
> pools of IP addresses as a few compromised machines
re-appear across
> multiple IP addresses. It tends to underestimate the
problem in
> networks with small NAT pools with multiple machines
sharing a few IP
> addresses. Differences between networks may reflect
different address
> pool management algorithms rather than different
infection rates.
>
> How do you measure if changes are actually making a
difference?
>
NAT on the one end, DHCP on the other. Time-based
calculations along with
OS/Client fingerprinting often seem to produce interesting
results.
|
