I would appreciate a bit of advise on a service I am about to deploy. I've spoken at different venues (including nanog) on global infection rates of bots and the general degradation of well behaved hosts.
I now track around 2.2M abuse events per day and now have the capability to produce reports for the community on which networks have the largest problems. I am prepared to make reports monthly to the community ordering networks by their volume of issues.
I'd like some hints of which might be the most valuable to the community.
o are hosts counts or issue counts more important
o is a 7 or 30 day window sufficient for aggregation?
o I'm not repaired for graphs yet so don't go there.
o should I post sub-reports for regions, by RIR?
o which kinds of abuse are more interesting.
I'm expecting to post a weekly report once a month to nanog, would this be disruptive? We have a mailing list set up for weekly reports, once finalized I'll post the location for its list manager.
The global report usually has about 6,000+ networks, the top 100 from last week are below.
again, thanks for your feedback.
-rick
Table 1. Networks with abuse, ordered by #incidents