On Wed, 21 Feb 2007, Sean Donelan wrote: > > > If you can't measure a problem, its difficult to tell if you are > making things better or worse. > > On Tue, 20 Feb 2007, Rich Kulawiec wrote: > > I don't understand why you don't believe those numbers. The estimates > > that people are making are based on externally-observed known-hostile > > behavior by the systems in question: they're sending spam, performing > > SSH attacks, participating in botnets, controlling botnets, hosting > > spamvertised web sites, handling phisher DNS, etc. They're not based > > on things like mere downloads or similar. As Joe St. Sauver pointed > > out to me, "a million compromised systems a day is quite reasonable, > > actually (you can track it by rsync'ing copies of the CBL and cummulating > > the dotted quads over time)". > > Counting IP addresses tends to greatly overestimate and underestimate > the problem of compromised machines. > > It tends to overestimate the problem in networks with large dynamic > pools of IP addresses as a few compromised machines re-appear across > multiple IP addresses. It tends to underestimate the problem in > networks with small NAT pools with multiple machines sharing a few IP > addresses. Differences between networks may reflect different address > pool management algorithms rather than different infection rates. > > How do you measure if changes are actually making a difference? >
NAT on the one end, DHCP on the other. Time-based calculations along with OS/Client fingerprinting often seem to produce interesting results.