North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Counting tells you if you are making progress
- From: Todd Vierling
- Date: Fri Feb 23 21:40:28 2007
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=ikXVi7y9Mjna7LxZtAQzVH9UzYsejLkwawt0ODXfKnkTY2ExmwhtWHKrjI/LRtbcvX197tikY9kRlgSGcwA7DGWsGEofdjYkTk6Z2AAg3OB5aRC+bnrtgqHhvvhgZ80QhmSVQzVM+pUEjL3hpI7au3lZdS/B7NLz9YCdsbxpNQQ=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=Qk1nOP4pbh+LBoaIb7X4ZwPV+uC6/TPDbmzEWszZ1fsWUZyOOCCXRE0qO7cFljEYMx0yLmog0QVYkEVI11DiS8YU3kL0QGmP2UtvGiYY47c14tJ9/uOMimNrcDLvfuocTmWjkCTjit0xZqdRXgpq4RObcLob7ebb+F7VDzPS0M0=
On 2/22/07, Sean Donelan <sean@xxxxxxxxxxx> wrote:
On Wed, 21 Feb 2007, Todd Vierling wrote:
> I'd say it's severely biased in the overestimation direction -- but
> that's not to say it isn't a problem, because zombies Suck.
People with access to the ppp, dhcp or nat logs for a network can de-dup the
counts based on IP addresses to come up with better surveys of infected
computers. They can further correlate the reports with contact
with the computer owners of how many computers were found with known or unknown
malware. But we rarely hear data from them.
Because this is a circular problem: such providers want to deny the
problem until there's a sufficient number, and once they take notice,
the de-dup ... reduces the number.
This isn't a technology problem, it's a *business approach* problem.
But now I'm straying OT.
-- Todd Vierling <tv@xxxxxxx> <tv@xxxxxxxxx> <todd@xxxxxxxxxxxxx>