Dynamic IP Addresses
Idea: How can we tell how many infected computers as opposed to IP addresses?
Motivation: Max of ~180,000 unique IPs seen in any 2 hour period, but more than 4 million across ~a week
For /24s, count:
- total number of unique IP addresses seen ever
- maximum number in 2 hour periods
High total, low max ==> lots of address reuse