Netcraft Web Server Stats Challenged

kolchak writes "An article in The Age has an interesting analysis of the Netcraft Web Server Usage Reports. According to Port80 Software, Netcraft's surveys are biased towards domain name parkers and very small web sites, not taking into account how popular a site may be - there's some interesting results in the competing Port80 survey." However, it should be pointed out that Port80 "develops software products to enhance the security, performance and user experience of Microsoft's Internet Information Services (IIS) Web server."

Hmm

Well, since they are so closely tied to microsoft, looks like they have a BIT of a bias...

Do we even need to think about this? How is this news?

I tried homepage.apple.com

[fidget42]

and this was their response:

We detect that homepage.mac.com is running Apache/1.3.27 (Darwin).

but with this caveat

Note:
No matter what the above results show, this company may be running Microsoft IIS and protecting its Web server identity with ServerMask.

Nope, no bias there.

Re:I tried homepage.apple.com

[Marillion]

Curious: ServerMask is a port80 product. A product whose big selling point is to confuse script kiddies into thinking you've got a platform that you don't.

Re:A bit more than the average MS bias

[servoled]

What does this have to do with their sampling method? I seriously doubt that their scanning system is some guy randonly typing websites into that box and writing down the results. The back end code which actually performs the server detection could work just fine and still produce and error during display.

And the winner is....

[nizo]

Thus spake the article:
Port80 Software, a San Diego-based company that develops software to enhance the security, performance and user experience of Microsoft's Internet Information Services Web server, said it had conducted a survey of Fortune1000 companies recently and found that Microsoft IIS had ongoing dominance in the enterprise with a 53.8 percent market share.
...snip snip...
"What do Netcraft's findings prove about Web server market share? It all depends on how you choose to define 'market share'," Lima said. "Netcraft attempts to review every detectable site on the Internet to generate their web server statistics, and this gives their survey a natural bias in favour of web servers that host relatively low-traffic or even parked domains.
...snip snip..
Considering that port80 has a serious bias towards IIS, any conclusions they draw should be taken with a mountain-sized grain of salt. I guess it boils down to what you think "mark share" is: what is everyone running, or what servers are the fortune 1000 companies running? The answer seems pretty obvious to me.

LOL

[javiercero]

It is not only funny that according to their "survey" IIS has more market share than Apache, but *gasp* Netscape has a larger market share than Apache too!

That is as big of a red flag as I have ever seen.

Of course the fact that they indeed produce softs for IIS is in no way shape or form any sort of indication to a possible, slight, minimal... bias.

LOL, a nice laugh... and they may even get slashdotted, which will bring joy to their sorry operation since they will now be able to claim that they are now one of the nets most popular companies/sites. I am sure this is some sort of ploy to get traffic, it will be funny to see if indeed their beloved IIS can stand the slashdot effect. LOL

Re:LOL

[CAIMLAS]

nmap -P0 -O www.port80software.com

Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-11-27 01:14 CST
Interesting ports on 66.45.42.237:
(The 1653 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
21/tcp open ftp
53/tcp closed domain
80/tcp open http
443/tcp open https
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.45%P=i686-pc-linux-gnu%D=1 1/27%Time=3FC5 A5AA%O=21%C=53)
TSeq(Class=TR%TS=0)
T1(Resp=Y%DF =Y%W=4650%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=N)
T3(Resp=N)
T4(Resp=N)
T5(Resp=Y%DF =N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=N)
T7(Resp =N)
PU(Resp=N)

*snip*
SInfo(V=3.45%P=i686-pc-linux-gnu%D=11/27

I wonder if that's an inidcation that they're running linux (it did seem that it took a fair amount of time for them to fall to a slashdotting, didn't it?), or they're making themselves look like they are.

Who knows - maybe ServerMask (the one they're using internally, not the one they sell, wink wink) is just a linux server with squid that stands beteen the server and the internet.

Re:LOL

[mvpll]

Nope, that snippet is to do with nmap.

Try this:
telnet 66.45.42.237 21
Trying 66.45.42.237...
Connected to 66.45.42.237.
Escape character is '^]'.
220-Hello Port80Software.
220 WFTPD 3.1 service (by Texas Imperial Software) ready for new user
QUIT
221-Goodbye Port80Software!
221 Windows FTP Server (WFTPD, by Texas Imperial Software) says goodbye
Connection closed by foreign host

I guess they need to release a new product, FTPMask ;)

Not so inaccurate ..

[jcam2]

Even if these Port80 guys are on Microsoft's payroll, the point they make is still quite correct - it make no sense to measure market share by simply counting web hosts. If all the high-traffic web sites on the Internet are running IIS while the numerically greater but less popular remainder are running Apache, can you meaningfully say that Apache has a higher 'market share'?

Unfortunately, short of tracking people's surfing habits or getting access to web server logs, there is no easy way of working out the popularity of a site. Netcraft's method of polling every known webserver is really the only practical method available, if it is not truly accurate.

Re:Not so inaccurate ..

[Prof.+Pi]

it make no sense to measure market share by simply counting web hosts. If all the high-traffic web sites on the Internet are running IIS while the numerically greater but less popular remainder are running Apache, can you meaningfully say that Apache has a higher 'market share'?

Didn't Netcraft themselves cover this topic last year? IIRC, some pro-MS group made the same argument, that you should only count the big guys. They looked at the Fortune N (I forget what N was) and found that lo and behold, IIS came out on top.

Then Netcraft came back with another study, where they ranked companies not by their Fortune ranking (i.e., total revenue), which would tend to favor MS as that's the "safe" choice for big companies. Instead, they ranked companies by how much revenue they made on the Net (so companies like Amazon would rank much higher), and found that by that measure, Apache was again on top.

Something smells...

[pridefinger]

I tried several sites myself with my own javascript and guess what?

My results were were different than their's more than half the time! I figured they had multiple servers running, etc., so I rechecked at least 5 times on all sites (all sites checked, that is ~50)...NO CHANGE!

Take disney.com, for example. Their site says IIS 5.0. I got netscape...so did netcraft.

One word... BULL#%&*!

-Pride

Re:Something smells...

[a.koepke]

I just checked this too... Port80 displays MS IIS and Netcraft displays Netscape. I thought I would do my own check. This now shows a flaw in both checks, Netcraft and Port80.

andreas:/var/mail# telnet disney.com 80
Trying 198.187.189.55...
Connected to disney.com.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 302 Moved Temporarily
Server: Netscape-Enterprise/3.6 SP3
Date: Thu, 27 Nov 2003 06:44:12 GMT
Location: http://disney.go.com/
Content-length: 0
Content-type: text/html
Connection: close

Connection closed by foreign host.
andreas:/var/mail# telnet disney.go.com 80
Trying 198.187.189.93...
Connected to disney.go.com.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.0 200 OK
Server: Microsoft-IIS/5.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Set-Cookie: SWID=E4481904-1BC1-4D6B-A21F-5FB993D69628; path=/; expires=Thu, 27-Nov-2023 06:44:39 GMT; domain=.go.com;
Cache-Expires: Thu, 27 Nov 2003 06:47:13 GMT
Cache-Control: max-age=300
Date: Thu, 27 Nov 2003 06:44:39 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Thu, 27 Nov 2003 06:42:13 GMT
ETag: "ba9b4197b1b4c31:b10"
Content-Length: 6260
Vary: Accept-Encoding, User-Agent
Via: 1.1 redline-7 (Redline Networks Accelerator 2.2.8 0)

Connection closed by foreign host.

Interesting, Disney.com is a Netscape webserver which just does a 302 Moved header and sends the client to Disney.go.com which is an IIS box.

So the actual Disney site you end up with (Disney.go.com) is IIS so in that case Port80 are sort of right in reporting it as so. But Netcraft are also right in reporting Netscape for the Disney.com domain since that is what Disney.com is running, Disney.go.com is a seperate domain and would be counted seperately.

Servermask didn't see that coming!

[morcheeba]

Port80 Survey header check
Microsoft OLE DB Provider for ODBC Drivers error '80040e57'
[Microsoft][ODBC SQL Server Driver][SQL Server]String or binary data would be truncated. /surveys/top1000webservers/headercheck.asp, line 121

A suggestion for their servermask product: COVER UP ERRORS THAT GIVE AWAY INFORMATION. Seriously, if they think that headers are going to give away a lot of info, then forced errors will, too. But, there is boatload of other techniques (including passive techniques) that get around their security-throught-obscurity program.

Absolutely Nothing

[servoled]

What does that say about the quality of the respective servers?

It says absolutely nothing because you are not factoring in the amount of traffic handled by each machine, the connection speed, processing power, RAM, speed of I/O communications between the processing system and network interfaces, hard drive latency for retrieving data, etc...

You can't make an accurate comparison unless you can remove all the other factors which directly affect how the server will perform.

Re:A good methodology

[servoled]

This is too small of a sample to produce meaningful results. Also some of these companies may be running a certain platform based on business deals made way back in the day and are reluctant to make the investment needed to completely replace their infrastructure (which may explain the strong presence of netscape, who knows).

There are really too many factors involved to simply choose a number of websites and determine which is the best server software based upon what the majority of those sites are running.

Re:A bit more than the average MS bias

[aceat64]

Actually, it's my experience that they'll just keep bombarding you with ISS and windows exploit attempts no matter what server and OS you use. They're SCRIPT KIDDIES, they can't even spell Apache. P.S. As I typed this my server log is showing 3 different IPs that are running a full barrage of ISS and Windows exploit attemps at my Apache/Linux server. So ya, they're dumb. Oh and just to be funny I went on my linux box and tried to send them a windows messenger message, work on 2 of them :)

Re:A bit more than the average MS bias

[boneshintai]

i mean, after all, we all turn off ping before we put our servers up... don't we?

No, as a matter of fact I don't turn off ECHO responses on boxes I manage. I prefer to be able to tell if an operating system or tcp/ip stack has fallen over without having to go over and hook up a console. I'm actually rather annoyed at certain ISPs for continuing to block ping even after Welchia and Slammer have mostly abated.

Which is not to say you can't turn off pings on your boxes, but neither your preference nor mine is everyone's preference.

Re:A bit more than the average MS bias

[Maestro4k]

• So.... If you are running MS IIS your best security measure is to pretend to be running Apache?

Nah, that's just so you can have the false security of thinking hackers won't break in because they're fooled by the server mask. Like any and all of the worms that attack IIS will bother checking first. Of course if you're running IIS, you should be pretty used to new worms reaming your server a new one every month by now.

Re:Corporate Web Servers

[Maestro4k]

• Another thing is Corporate America is barely getting their feet wet with Linux/Apache. The UNIX boxes that are installed are not running Apache, they're running something from a major vendor (ie. Netscape, etc). Up until this year there was NO linux in the corporate company I work for. If a MAJOR vendor will not support a product, corporate america will not install it. They love to point the finger at the vendors. If there's nobody to point a finger at when something goes wrong, it will not get installed.

While I understand Corporate America's dislike of Linux so far (like you said, no one to point fingers at when something messes up), and can extend that to Apache (same thing), I don't understand why Corporate America would still use IIS after all the worms and worms after worms after security holes ad infintum. Netscape's out there as a commercial product for Windows servers as well as UNIX/Linux, and I know there are other ones as well, just not that I'm familiar with. I'd think they're tired of pointing fingers at the MS vendors over worm attacks, and would want something, ANYTHING, besides IIS nowadays.

Or are the bigwigs in Corporate America so out of touch with reality they don't realize that moving from IIS would probably save them tons of money just in manhours saved from less patching/recovering?

I don't get your comments

[mikkom]

Why are everyone complaining about netcraft surveys based on domain names when every netcraft monthly survey also has statistics for active servers See this months survey for example, especially "total for active servers"

Fortune 1000 sites are not the busiest?

[chrome]

I don't know for sure, and I don't have any data to back up my assertion, but I have a strong feeling that Fortune 1000 sites are not the busiest sites out there.

For instance, a Fortune 1000 server probably only serves a few sites.

Most people running server farms doing mass hosting can serve tens of thousands of sites off a single server running Apache (or Zeus, etc).

I really doubt the relevance of this, especially in light of the fact that a lot of large companies will have a "MS software only" policy these days.

But, this is all conjecture of course.

Re:Like that's going to work

[caluml]

Set up some fake scripts like /default.ida, which append the IP address of the attacker to a file ( /var/log/denylist )?
Then just run an iptables on that file every minute, blocking all in it.

Re:Yes they are... check this out

[kyrre]

Apperantly servermask is their product. When I try a site I knew running IIS response is like so:

Protect your Web server identity with ServerMask!
Why let anyone find out you're running a Microsoft IIS server? Don't tempt potential hackers!

Try ServerMask FREE for 30 days. Download Now!
Buy ServerMask for only $49.95 today!

No: "No matter what the above results show, this company may be running Apache and protecting its Web server identity with ServerMask."

Security through masking the server string sounds very secure. sigh.

I'm sorry, you're point is completely invalid

[Niscenus]

Hence, it would seem apparent, after only a very small time here on slashdot, that if someone can take the time to spellcheck their post then they are ALSO more likely to VALIDATE their owm information.

<PHB mode="true">
I have just recently been informed to ignore people like you, but I can't remember from where....
</PHB>

Re:A bit more than the average MS bias

[Chas]

Yes, security through obscurity does work ;-)

...Unless of course if you're dealing with a completely clueless (or just plain sneaky) kiddie who throws every single exploit he has (regardless the server) at your box. That's when security through obscurity stops working

So...all the time, in other words....