Netcraft Survey Updated

The latest survey is out and ready for reading from Netcraft. There's some interesting commentary in regards to Code Red, and its effects on web usage. One of the things that I found most interesting was the data showing that while the number of sites hosted by Apache continues to grow, the number of physical webservers running some variety of Windows is about half of the total. Worth checking out.

Gartner Group Effect will be interesting

[kylerk]

It will be very interesting to see the subsequent reports and see what effect if any the Gartner Group's report has on the number of IIS servers.

Re:The real reason 80,000 IIS Servers disappeared

[mks113]

I'm surprised that they don't infer that a large number of those sites were alerted to the fact that they were running IIS when they were hit by code-red. They shut it down because they didn't need it, not because they replaced it!

Amazing how many of the code red servers were displaying the sample page.

Code Red / Nimda

[squaretorus]

Our experience with our access provider is interesting in relation to the Code Red effects described in this report.
We live in a block of office units with shared network access. Our landlord is about as non tech as they come, the whole company, and outsource the LAN provision.
The phones and LAN went down twice due to Nimda, although our machines were unaffected - being patched!
The operator has given our landlord the following advice "Cut them off unless they have Norton". So we get a visit from a suit asking if we have Norton on our computers. We don't we have McAfee. His response?
"Get Norton by Friday or your being disconnected"

People just don't understand this stuff. We have fully patched machines, which run good virus software, but our PHB landlord denies us access to the network that WE PAY FOR beause we chose a different software solution.

Not surprising

[gazbo]

while the number of sites hosted by Apache continues to grow, the number of physical webservers running some variety of Windows is about half of the total

Not really surprising. Imagine the two scenarios:

• I am the unqualified systems admin for our company, and I've been asked to set us up a crappy website. I only use windows, so I use IIS
  
• I am the systems admin for a hosting company, with several dozen servers, each with many virtual hosts for my clients. Naturally I use Apache on L/Unix, as it's secure and reliable, and I know how to use a CLI.
  

Naturally Apache is going to have a greater number of sites per machine, whereas IIS is going to have a large number of physical machines hosting a single crappy home-made site.

This is slightly flawed

[Matey-O]

"Web Server Survey is a survey of Web Server software usage on Internet connected computers. We collect and collate as many hostnames providing an http service as we can find, and systematically poll each one with an HTTP request for the server name."

This DOES NOT account for the number of Web servers running a particular package to do something, it accounts for the number of servers _installed_ whether intentionally or not.

Further, it doesn't account for website overloading whereby a number of sites reside on the same IP address. Does Geocities count as one site, as it [may] only be registered to one IP?

"The impact of Code Red has resulted in around 150,000 Microsoft-IIS sites on 80,000 ip addresses disappearing from the internet,..."

Hmmm, could be a bunch of folks realized that IIS server on their SQL server was unnecessary. Again, they may have 'disappeared', but it doesn't mean they were used in the first place.

I mention the above as it's how were functioning in OUR case. (3 or 4 machines that never used IIS have it turned off now, and we've got several large sites all sharing the same IP and servers)

Re:Interesting also is that i86 is WAY ahead...

[at_18]

What if next time the virus is a nifty I86 Assembly worm ?

Writing a worm in x86 assembly does not mean that you have an OS-independent worm.

Every worm needs a method to infect other hosts, and the only way is to exploit known vulnerabilities in legit services - ie, you are using applications' (IIS, Apache, bind, sendmail) and operating system's (Windows, Linux, Solaris) services to infect the host. The reason is that, on a network, you are not talking directly to the processor like you do with a local process. You are talking with software layers that manage your connection.
After you have unscrewed the software protections, you make your payload execute on the target host, using a nifty x86 assembly snipped designed to gain privileges. But this is still dependent on the OS.

In fact, many old-fashioned viruses (infected disks, .EXEs etc.) are written in pure x86 assembly. But they still are OS-specific.

Number of IIS exploitable servers going back UP?

[Rogerborg]

What's with that? The end of month figures for vulnerable IIS systems show an increase in cross site scripting, accessible admin pages and viewable script source. Any guesses?

Is it just that they're more visible? Or is it a whole bunch of sysadmins formatting, re-installing, then selectively patching for the last three exploits that they can remember? Wierd.

Switching takes time

[MS]

Recently I migrated a mid-sized server from FreeBSD to Linux... it took me about a month: in this process I also changed database software, rewrote many programs (written in C, PHP and Shellscripts) and had to test lots of functions...

Usually it is quite simple to migrate between Unices and Linux, but its quite a challenge to switch from a Microsoft platform to some *nix/Apache platform, if the server serves more than simple static pages.

I believe, the process to migrate from WinXXXX/IIS to *nix/Apache will take a few months, not weeks, for management decision (big corporations are not able to produce decisions in a few hours, but will take weeks - till the next "meeting" or so), reprogramming, data-migration, testing etc.

That's the reason, why Netcraft itself stated:

Switching from a Microsoft to Unix platform will usually involve some significant effort for a site with any significant investment in dynamic content.

So give us time, and lets analyse the stats again in a few months.

ms ms

Port Scans Aren't Bad

[redcliffe]

This survey is evidence of what good a white-hat port scans could do. You could survery what servers are being used, you could find out how many machine are still using faulty software, and you could find out percentages of different OSes. Everyone runs around with their arms in the air yelling that people who port scan are bad. They aren't all bad. Your security should be good enough to handle it anyway. Who cares if they find what ports are open, if the ones that need to be closed, are closed or stealth, and if you have all your latest security packages you have no problems. Thanks,

David

Re:The correct interpretation...

[Sayjack]

It would be interesting to snoop traffic and extract header information to calculate the percentage of overall web traffic which is being served by each flavor of web server. Take a large enough sample from various points on the internet and you could get reasonable statistics though I'm not sure how the public at large would feel about being snooped.

Methodologies are important

[billsf]

It seems Netcraft has a very hard job to do. Yes, I eagerly check them every month to see that my favourite web server (Apache ofcourse) is well on top. I'm also glad BSD isn't dying as some troll reported. 6% BSD on the web could mean many more times that in market share. 50% Windoze appears to count for only a tiny proportion of the computing power on the web. A good point was made that in this tabulation, a $1k "el cheapo" counts the same as a $1M top-of-the-line Sun!

For starters, maybe research should be done to determine which servers and platforms serve the most actual pages on the web. It is very reasonable to state the very same hardware will serve twice the volume with Apache Unix than IIS-win. The type of Unix may matter too. Large sites tend to use Linux, very large sites tend to use BSD. Moderate sites use Solaris (and only the smallest use IIS) in general. If security is of any concern, Windoze is a joke. Apache makes a Windoze version, but warns it should never be used in a production setting - just for a quick prototype. (to show management)

More interesting is which system serves the most data overall? The people that work on the 'big iron' say it is Linux by far, then a toss-up between Solaris and BSD. With a paltry 5%, comes the combined power of all Microsoft PC's.

The point is clear and we have all heard it: "You can prove or dis-prove anything by how you manipulate statistics". So M$ is the best from their prospective, and so is Linux from theirs and the same for Sun, BSD and all the others. BSD does make a good point that they can serve 100x the data for the same cost as Microsoft, and that assumes you *pirated the Microsoft software* and does not include 'down time' so many Microsoft users can relate to, nevermind all the email worms and Trojans either!

Re:Methodologies are important

[mcelrath]

For starters, maybe research should be done to determine which servers and platforms serve the most actual pages on the web.

Another idea -- they should grab index.html and try to determine if it is an unmodified, vendor-provided homepage. (you know, one that says "put stuff in /home/httpd/htdocs/index.html to make your own homepage") It would be very interesting to see how many of these servers are quiescent and unused. I'd bet about 90% of the windoze ones (and a significant fraction of Linux/BSD) are people on DSL/cable modems that don't even know their computer is running a web server. OTOH, I'd bet that 99.9% of the Solaris machines are serving up useful web pages.

--Bob

Per Host is more accurate than Per Computer

[SgtChaireBourne]

Perhaps a "per host" OS pie chart should sit next to the "per computer" one. The pie chart showing 50% windows machines could be indicative of less efficient servers. If MS servers are less efficient then we'd see that MS has a worse host-to-hardware ratio, which we do see here.

Annecdotally, I can say that about a dozen machine linux servers I know are each running 3 or more separate hosts.

Re:The real reason 80,000 IIS Servers disappeared

Not used ? not quite, we had to shut down our corporate web site, not because it was not used, but because it was damaged soo badly that out ISP will not keep us online.
We did not switch to Apache or anything else, though, just clean it up patch and back to operation.

S'right

[King+Of+Chat]

You have to get in there first.

And if you do, even MS use the x86 protection mechanism and run most code in ring 3. Since the account Apache runs in would not have the priviledge to install & run arbitrary ring 0 code (as would be the case with IIS [running as Local System] installing device drivers) there are limits on what can be done.

Maybe there's an argument for an OS which has two modes which are mutually exclusive. You can use the machine (run applications etc.) or you can administer the machine (install drivers etc.). You cannot do both from the same account. Many Windows users run their day to day work under accounts with admin priviledges - or worse still, domain admin privildges. Why? Do people really need to switch from document writing to driver installation so quickly that they need be done without an additional login? Does anyone really need god-like priviledges from a regular account?

Of course, I may be talking rubbish.

Re:MS Trickery

[pmz]

This is very true. Those pointy-haired people don't understand just how much a UNIX/Linux/*BSD server can do before it screeches to a halt (note that I didn't say "crash").

I have been consistently impressed by how much raw abuse a UNIX server can take. A while ago, I wrote a test program that consumed all virtual memory and CPU and kept asking for more, and the machine got slow but kept on trucking. Where I work, the admin runs multiple web services on a single-CPU UltraSPARC box, and it never complains--not even a "hiccup."

The truth is that it takes one UNIX machine to replace N Windows machines, where N is a large positive integer. Do you want quality or quantity?

Right on point

[athmanb]

My university switched from Sendmail to Exchange last year. In the process, we went from 1 Solaris machine to 4 Dual-Pentium/II Windows boxes.

That's how you win market share...

Re:How will Netcraft handle Mac OS X?

[yesthatguy]

A couple years ago, my school switched from the Linux webserver that I had been administrating to a Mac server. Our site is now running on an iMac, I believe, using AppleShareIP. Naturally I did not support this change, as they've jumped years backwards in technology (and made a new site that's horrible to boot). However, I suppose one advantage of this is a little bit of security for obscurity. Because nobody's stupid enough to run a website off of an iMac, nobody wastes his time trying to find exploits for such a small target audience.