On Wed, Feb 21, 2007 at 12:31:30AM -0500, Sean Donelan wrote:
Counting IP addresses tends to greatly overestimate and underestimate the problem of compromised machines.
It tends to overestimate the problem in networks with large dynamic pools of IP addresses as a few compromised machines re-appear across multiple IP addresses. It tends to underestimate the problem in networks with small NAT pools with multiple machines sharing a few IP addresses. Differences between networks may reflect different address pool management algorithms rather than different infection rates.
Yes, but (I think) we already knew that. If the goal is to provide a minimum estimate, then we can ignore everything that might cause an underestimate (such as NAT). In order to avoid an overestimate, multiple techniques can be used. For example, observation from multiple points over a period of time much shorter than the average IP address lease time for dynamic pools, use of rDNS to identify static pools, use of rDNS to identify separate dynamic pools (e.g., a system which appears today inside hsd1.oh.comcast.net is highly unlike to show up tomorrow inside hsd1.nj.comcast.net), classification by OS type (which, BTW, is one way to detect multiple systems behind NAT), and so on. I think Gadi makes a good point: in one sense, the number doesn't really matter, because sufficiently clueful attackers can already lay their hands on enough to mount attacks worth paying attention to. On the other hand, I still think that it might be worth knowing, because I think "the fix" (or probably more accurately "fixes") (and this is optimistically assuming such exist) may well be very different if we have 50M than if we have 300M on our hands. ---Rsk