Rick,
It would interesting to know how you classify "incidents" in the
table below....
- ferg
Fergie wrote:
Rick,
It would interesting to know how you classify "incidents" in the
table below....
any one of the following:
o being put on a major DNS black list (spamcop, spamhaus, ahbl etc.)
o hosting malware or phishing sites, open proxies
o sending LOTS of SPAM, virus
o IRC abuse
o Botnet C&C
o hoping glue/fast flux
o abusive, vulnerable web servers
Should I track other things? I'm always open to new data sources...
-rick
Some of those are clearly ludicrous to count as "incidents" at all, and some
of them aren't obviously a single incident, by any reasonable measure so if you're
planning to aggregate them all together into a single count the end
result is also going to be worthless. Some other way of aggregating
the data might be more useful.
(I also suspect that a subjective popularity contest list of providers is
not likely to be viewed as operational by many on nanog, though I
think some of the underlying data might be).
Cheers,
Steve
o being put on a major DNS black list (spamcop, spamhaus, ahbl etc.)
o hosting malware or phishing sites, open proxies
o sending LOTS of SPAM, virus
o IRC abuse
o Botnet C&C
o hoping glue/fast flux
o abusive, vulnerable web serversSome of those are clearly ludicrous to count as "incidents" at all
oh? which?
i can see some not being clearly incidents, but rather operational
states, e.g. a vulnerable server/service. but ludicrous?
randy
Well, the data sources that have a significant false positive rate are
going to count many things as "incidents" that are anything but.
If sending closed-loop, opt-in email is considered equivalent to
hosting a botnet command and control network... the data is
meaningless.
In the hope of not pulling the blacklist trolls out of the woodwork
I'm not going to be more specific as to which of those data sources
have noticeable false positive issues, but I'm sure you get my point.
Cheers,
Steve