Netcraft Web Server Stats Challenged

kolchak writes "An article in The Age has an interesting analysis of the Netcraft Web Server Usage Reports. According to Port80 Software, Netcraft's surveys are biased towards domain name parkers and very small web sites, not taking into account how popular a site may be - there's some interesting results in the competing Port80 survey." However, it should be pointed out that Port80 "develops software products to enhance the security, performance and user experience of Microsoft's Internet Information Services (IIS) Web server."

A bit more than the average MS bias

[SeanTobin]

This is wrong on soooooo many levels. I could understand trying to twist the truth by redefining what a webserver is... but thier sampling method is straight out wrong.

Want proof? Here it is. Go to the linked article, (or click here) and where they have the box to check your server header (about half way down the page) type in www.microsoft.com - you will see its running IIS/6. A nice happy IIS server.

Now, type in my web server - http://www.isthatdamngood.com - its a nice Linux/Apache server. My server will CRASH thier app! Actually, a lot of linux servers will crash it...

Kinda hard to claim your results are more indicitative of the market when your scanning technology is flat out broken.

Re:A bit more than the average MS bias

[the_2nd_coming]

umm, how can you claim that they are sampling correctly when your only evidence of the way they sample is by way of an app that crashs on linux/apache servers?

Re:A bit more than the average MS bias

[ejaw5]

Check out the ad below the detection test:

Note:
No matter what the above results show, this company may be running Microsoft IIS and protecting its Web server identity with ServerMask.

Try ServerMask FREE for 30 days. Download Now!
Buy ServerMask for only $49.95 today!

Re:A bit more than the average MS bias

[SkArcher]

So.... If you are running MS IIS your best security measure is to pretend to be running Apache?

Errrrr.... Just run Apache?

Re:A bit more than the average MS bias

[_xeno_]

Worked for me. I tried "slashdot.org" and "www.theregister.co.uk" - both of them worked just fine. However, "www.isthatdamngood.com" did indeed cause a scripting error - but I doubt it would effect their actual surveying, it's just an ASP error, not an actual "crash."

Anyway, it's long been known that Netcraft's methods are flawed, since it counts individual web servers multiple times for each virtual domain. It should only count unique sites. (For example, Slashdot counts for something like 13 sites - the individual sections (like apple.slashdot.org - I'm not listing all of them), slashdot.org, www.slashdot.org, images.slashdot.org.)

It's still debatable what the correct survey method is (and whether Port80's method is any better), but Netcraft is biased towards sites with lots of virtual domain names. (I'd imagine SourceForge gets counted many times, too...) Of course, it's also questionable if individual servers in a round-robin load-balancing solution should be counted, so counting by IP instead of domain name is questionable too.

As is often said, "there are lies, damned lies, and statistics" - any counting method has issues.

Blah, I can't preview because Mozilla is f***ing broken and won't display the preview page, so please pardon any typos.

Re:A bit more than the average MS bias

[damiam]

If it wasn't so sad that people can charge $50 for what in Apache is a one-line config change, it'd be pretty funny.

Re:A bit more than the average MS bias

[orthogonal]

So.... If you are running MS IIS your best security measure is to pretend to be running Apache?

No. It's to wave your hands and intone "These are not the servers you're looking for."

It requires the Obi Wan Server Mask, however.

Re:A bit more than the average MS bias

[Frymaster]

on security through obsecurity:

while it is not a substitute for a good security policy, it is an excellent augmentation. the old saying goes that the only secure computer is one that isn't connected to the network. well, that's not really possible if yr running a web server, but you definitely don't need to advertise that you're connected... or how you're connected.

let's use a military analogy (ugh). you may put your soldiers in an armoured transport... but they still wear camoflauge.

i mean, after all, we all turn off ping before we put our servers up... don't we?

Re:A bit more than the average MS bias

[boneshintai]

i mean, after all, we all turn off ping before we put our servers up... don't we?

No, as a matter of fact I don't turn off ECHO responses on boxes I manage. I prefer to be able to tell if an operating system or tcp/ip stack has fallen over without having to go over and hook up a console. I'm actually rather annoyed at certain ISPs for continuing to block ping even after Welchia and Slammer have mostly abated.

Which is not to say you can't turn off pings on your boxes, but neither your preference nor mine is everyone's preference.

Re:A bit more than the average MS bias

[panaceaa]

The parent poster's point is that their site grabber program can get IIS sites but crashes on some Apache sites. Port80 Software may use the same code to run their surveys since both the grabber and survey programs need the core feature of analyzing a site's HTTP headers.

So if their survey script also returns invalid data for Apache sites, then the IIS numbers would be much higher than they actually are. I would at least like to see some actual numbers rather than pure percents before I believed their data. They surveyed 1000 sites -- how many sites are included in the survey's data?

Another thing that seems odd to me is Netscape iPlanet usage is higher than Apache. Where's the primary data to support that?

Re:A bit more than the average MS bias

[timeOday]

A script kiddie might still attack you because he's just a brute forcer. Anybody with brains won't trust your server's self-identification... so who are we fooling here?

So suprising

[linux_warp]

From thier Partners page:

"Port80 Software's Strategic Partners:
Microsoft, Inc."

Strategic in what way? FUD?

I tried homepage.apple.com

[fidget42]

and this was their response:

We detect that homepage.mac.com is running Apache/1.3.27 (Darwin).

but with this caveat

Note:
No matter what the above results show, this company may be running Microsoft IIS and protecting its Web server identity with ServerMask.

Nope, no bias there.

LOL

[javiercero]

It is not only funny that according to their "survey" IIS has more market share than Apache, but *gasp* Netscape has a larger market share than Apache too!

That is as big of a red flag as I have ever seen.

Of course the fact that they indeed produce softs for IIS is in no way shape or form any sort of indication to a possible, slight, minimal... bias.

LOL, a nice laugh... and they may even get slashdotted, which will bring joy to their sorry operation since they will now be able to claim that they are now one of the nets most popular companies/sites. I am sure this is some sort of ploy to get traffic, it will be funny to see if indeed their beloved IIS can stand the slashdot effect. LOL

Not so inaccurate ..

[jcam2]

Even if these Port80 guys are on Microsoft's payroll, the point they make is still quite correct - it make no sense to measure market share by simply counting web hosts. If all the high-traffic web sites on the Internet are running IIS while the numerically greater but less popular remainder are running Apache, can you meaningfully say that Apache has a higher 'market share'?

Unfortunately, short of tracking people's surfing habits or getting access to web server logs, there is no easy way of working out the popularity of a site. Netcraft's method of polling every known webserver is really the only practical method available, if it is not truly accurate.

Re:Not so inaccurate ..

[Prof.+Pi]

it make no sense to measure market share by simply counting web hosts. If all the high-traffic web sites on the Internet are running IIS while the numerically greater but less popular remainder are running Apache, can you meaningfully say that Apache has a higher 'market share'?

Didn't Netcraft themselves cover this topic last year? IIRC, some pro-MS group made the same argument, that you should only count the big guys. They looked at the Fortune N (I forget what N was) and found that lo and behold, IIS came out on top.

Then Netcraft came back with another study, where they ranked companies not by their Fortune ranking (i.e., total revenue), which would tend to favor MS as that's the "safe" choice for big companies. Instead, they ranked companies by how much revenue they made on the Net (so companies like Amazon would rank much higher), and found that by that measure, Apache was again on top.

Corporate Web Servers

[ryanw]

You have to look at their survey. It's talking about the CORPORATE web servers. I work for a major corporate america company. We have close to 4000 servers handling our "web" environment. That consists of web, app, and database servers. There's more IIS then anything else out there for sure in corporate america. Expecially on the WEB front end. In a corporate environment there are about 20 Windows to 1 Unix boxes. Mostly due to Windows servers being so cheap and can't handle as much load per server. But on the DATABASE backend there is much more UNIX to Windows.

Another thing is Corporate America is barely getting their feet wet with Linux/Apache. The UNIX boxes that are installed are not running Apache, they're running something from a major vendor (ie. Netscape, etc). Up until this year there was NO linux in the corporate company I work for. If a MAJOR vendor will not support a product, corporate america will not install it. They love to point the finger at the vendors. If there's nobody to point a finger at when something goes wrong, it will not get installed.

Until Redhat started selling Linux for $5k corporate america wouldn't even bat an eye at it. Now they're eating it up like hot cakes cause it's EXPENSIVE! Linux is no longer a free thing. Now powerful execs can point fingers and plus be able to throw around the "L" buzz word and feel like they're pushing the envelope.

Something smells...

[pridefinger]

I tried several sites myself with my own javascript and guess what?

My results were were different than their's more than half the time! I figured they had multiple servers running, etc., so I rechecked at least 5 times on all sites (all sites checked, that is ~50)...NO CHANGE!

Take disney.com, for example. Their site says IIS 5.0. I got netscape...so did netcraft.

One word... BULL#%&*!

-Pride

Re:Something smells...

[a.koepke]

I just checked this too... Port80 displays MS IIS and Netcraft displays Netscape. I thought I would do my own check. This now shows a flaw in both checks, Netcraft and Port80.

andreas:/var/mail# telnet disney.com 80
Trying 198.187.189.55...
Connected to disney.com.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 302 Moved Temporarily
Server: Netscape-Enterprise/3.6 SP3
Date: Thu, 27 Nov 2003 06:44:12 GMT
Location: http://disney.go.com/
Content-length: 0
Content-type: text/html
Connection: close

Connection closed by foreign host.
andreas:/var/mail# telnet disney.go.com 80
Trying 198.187.189.93...
Connected to disney.go.com.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.0 200 OK
Server: Microsoft-IIS/5.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Set-Cookie: SWID=E4481904-1BC1-4D6B-A21F-5FB993D69628; path=/; expires=Thu, 27-Nov-2023 06:44:39 GMT; domain=.go.com;
Cache-Expires: Thu, 27 Nov 2003 06:47:13 GMT
Cache-Control: max-age=300
Date: Thu, 27 Nov 2003 06:44:39 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Thu, 27 Nov 2003 06:42:13 GMT
ETag: "ba9b4197b1b4c31:b10"
Content-Length: 6260
Vary: Accept-Encoding, User-Agent
Via: 1.1 redline-7 (Redline Networks Accelerator 2.2.8 0)

Connection closed by foreign host.

Interesting, Disney.com is a Netscape webserver which just does a 302 Moved header and sends the client to Disney.go.com which is an IIS box.

So the actual Disney site you end up with (Disney.go.com) is IIS so in that case Port80 are sort of right in reporting it as so. But Netcraft are also right in reporting Netscape for the Disney.com domain since that is what Disney.com is running, Disney.go.com is a seperate domain and would be counted seperately.

Servermask didn't see that coming!

[morcheeba]

Port80 Survey header check
Microsoft OLE DB Provider for ODBC Drivers error '80040e57'
[Microsoft][ODBC SQL Server Driver][SQL Server]String or binary data would be truncated. /surveys/top1000webservers/headercheck.asp, line 121

A suggestion for their servermask product: COVER UP ERRORS THAT GIVE AWAY INFORMATION. Seriously, if they think that headers are going to give away a lot of info, then forced errors will, too. But, there is boatload of other techniques (including passive techniques) that get around their security-throught-obscurity program.

A website's a website

[andih8u]

It doesn't matter if the domain is parked or serving thousands of pages...domains are just as easily parked on IIS as on Apache.

Where's Google?

[RT+Alec]

I could not help but notice that Google, Yahoo, and Slashdot are omitted from their "top 1000" list. Yet rumors persist that these three web sites get a fair amount of traffic.

Re:Where's Google?

[ChaosDiscord]

I could not help but notice that Google, Yahoo, and Slashdot are omitted from their "top 1000" list.

The "top 1,000" list is based on the Fortune 1,000. Google, Yahoo, and Slashdot aren't on the Fortune 1,000. The theory is that the Fortune 1,000 indicates Real Companies, and that this is what Real Companies chose. However, many of these Real Companies are holding companies or target highly specialized audiences (like people needing drilling supplies). Many of these Real Companies are actually running what we would consider toy web sites: almost no content, entirely static pages, very few pages, and almost no visitors. So while this may represent what Real Companies chose, it does not necessarily represent what people with Real Work chose.

Like that's going to work

[BigRedFish]

a product .... to confuse script kiddies

I am running Apache on Linux, and I still get 1000 hits a day trying to crack MSADC with buffer overflows, and FrontPage exploit attempts. It's not like the script kiddies check the server ID or pay any attention to it even if they do.

A good methodology

[cgenman]

If you are conducting a survey to find out what is the "best of the best" in server software, why survey Family Dollar Store? Or Land 'O Lakes? You should be choosing technically savvy, solution neutral companies are likely to choose the best. These are the actual companies that have a big web presence and you would not expect them to choose a platform which would affect their bottom line badly... As opposed to Sears Roebuck, whose online presence can be compared to Amazon's retail presence. Would we ask Amazon how to organize endcaps? Let's pick a few technically adept companies at random here...

Amazon - Apache
AT&T - Netscape
Bell South - Apache
Cisco - Unix
Dell - IIS5
Earthlink - Netscape
E-Bay - IIS4
HP - Apache
Intel - IIS6
Lucent - Netscape
Motorola - Apache
National Semiconductor - Netscape
Nextel - Netscape
Qualcomm - Netscape
PC Connection - IIS5

I can't survey any more companies, because Port80's IIS6 server is slashdotted. However, if is apparent from this data that nearly 1/3rd of all websites that count are hosted on Netscape platforms. Apache and IIS share 1/4th each, and Cisco's odd unix variant wrapps up the rest.

Personally I'm amazed that Netscape is holding on to a lead... I would have expected them to be out of the running long ago. I'll have to check them out.

Cheap and flashy graphics

[ChaosDiscord]

I'll ignore for the moment the question of the quality of their data. I'm sure others will endlessly debate it (and I'll probably join in). Let's look at something else: The quality of their presentation.

First, let's take a look at the most recent Netcraft server survey. Let's see, clean display. The scale grid is subtle and doesn't draw attention to itself, but makes it easy to see exactly where a line falls. There is little wasted pixel data. It's easy to see trends and make comparisons. For the curious the exact numbers for the last two samples is listed (regrettably one two samples are listed). The graph labels the data it shows ("Market Share for Top Servers Across All Domains August 1995 - November 2003") leaving the reader to form his own opinions. On the down side, the scale confusingly marks 7% increments and the yellow line for Netscape/SunOne almost disappears into the background. Still, a well above average for graph. Definately room to improve, but better than most people expect to see.

Now let's example the Port80 server survey. Wow, what a difference. The grid is a much more dominant element. The 3d effect means that bars further in the back appear taller (by up to 15 pixels, or about 7%) and makes it hard to compare a specific data point against the scale. The complexity of the 3d bars complicates things, the "top" of the bar is actually larger than the month to month shift in the numbers. The "area" of the bars implies size (intellectually you know it isn't, but your gut says otherwise), this means that the largely obscured middle bars (Netscape and Apache) seem smaller. Ultimately bars are the wrong choice, we're examining points over time (suggesting a line chart), not clusters of data. The chart is labeled with a conclusion ("Microsoft IIS Maintains Dominance Of the Corporate Web Server Market"), suggesting interpretations to the reader. On the up side, they provide heavily broken up information for the most recent sample point (regrettably it's a graphic). They include a worthless pie chart. If you want to show market share a line chart showing historical data would be much more enlightening.

Conclusion? Port80's graphs suck. Hard. It's a stunning example of how not to create high quality graphs. The creators need to be beaten with copies of Tufte's information display books until they get it. This is the sort of amateur crap I expect on PowerPoint slides from people more interested in being cool than being useful, or perhaps from the graphics department at USA Today. As an engineer I'm disappointed.

Absolutely Nothing

[servoled]

What does that say about the quality of the respective servers?

It says absolutely nothing because you are not factoring in the amount of traffic handled by each machine, the connection speed, processing power, RAM, speed of I/O communications between the processing system and network interfaces, hard drive latency for retrieving data, etc...

You can't make an accurate comparison unless you can remove all the other factors which directly affect how the server will perform.

./ effect

[ryanw]

Port80Software has been slashdotted. As of 23:41 MTN Standardtime Nov 26th, 2003.. their box is completely down.

Wonder what they're running ...

Except...

[Theatetus]

For example, Slashdot counts for something like 13 sites - the individual sections (like apple.slashdot.org - I'm not listing all of them)

What about boxes like the ones where I work that run many (dozens, hundreds even) domains on one physical server? That's where the real difference creeps in; it's how 60-whatever % of sites run on Linux while 60-whatever % of boxes running web servers run Windows. Lots of the Linux boxes run multiple sites (and I don't just mean www.foo.com and images.foo.com; I mean they run www.foo.com and www.bar.com and www.baz.com and www.qxt.com on the single box).

So, take one of my boxes at work: it currently hosts 53 second-level domains and about 200 subdomains from them. The one I'm thinking of has its own class C netblock, but we have similar ones that just have a single IP address for their dozens of sites. Do you want that counted as one server, as 53, or as 200? Netcraft says it's 200. Port80 says it's 1. I'd like to count it as 53. Netcraft's way tells you what people who make web hosting decisions like. Port80's way tells you what people who make hardware and software buying decisions like.

Numbers look legit, but of questionable value.

[ChaosDiscord]

They list the 995 sites they include (they're using the Fortune 1,000, and (looking at some of the earlier reports), apparently 5 Fortune 1,000 companies don't have sites. (If they're still Slashdotted, you can download the pages from Google's cache. start here.)

A bit of quick Perl hackery pulls back the following values, roughly in line with what they report. The second column is actual sites found.

54.0% 537 Microsoft-IIS
18.2% 182 Netscape-Enterprise
16.1% 161 Apache
_3.6% _36 OTHER
_3.4% _34 IBM_HTTP_SERVER
_2.7% _27 UNKNOWN
_1.8% _18 Lotus-Domino
_____ 995 TOTAL

That said, I doubt the usefulness of the survey. It's a survey of Fortune 1,000 companies. These are often companies whose web presence is minimal. What does a giant holding company need with a web site? Heck, five of the companies didn't have any site at all! Of those sites that exist, many lack any sort of complexity (say, thousands of pages, or lots of dynamic pages). Simply put, many of these sites would run fine an almost anything, they don't represent Hard Work. I'm a lot more interested in what Google and Yahoo choose to run than in what the Radian Group and the Kiewit run.

Now Netcraft does have the problem they cite: Netcraft weights everyone equally. Perhaps that introduces bias. Perhaps we should select a set of sites that is high bandwidth, typically has at least some dynamic systems in place (say, to handle selling accounts), and is a popular target for hackers? How about porn sites? Porn operators have a hard job, thanks to Smutcraft you can see what they run.

Second, it looks like they've chosen one site for each company. For Amerco, for example, they chose UHaul.com running IIS. Reasonable enough (UHaul is part of Amerco), but it's interesting that they skipped amerco.com (running Apache). Not a great example, surely (especially since uhaul.com is certainly doing more real work than the very thin amerco.com), but it shows that there is a selection process of some sort, and any selection process risks introducing bias.

Free Software Wins again.

and what would that one line be?I want my $50 worth on my apache server

• Unpack the Apache distro file (apache_1.x.xx.tar.gz) and run the configure script.
  
  Now do the following commands:
  
  
• cd src/os/unix
  (With Apache 2.x, cd os/unix)
  
• vi os.h
  
• Search for:
  #define PLATFORM "Unix"
  
• Replace "Unix" with whatever you want your OS identification to be. (Some of the more creative ones I've done are 'NachOS,' 'PathOS,' 'StratOS,' 'ZerOS,' and 'WinDos'...anything.)
  
• Save the file.
  
• cd ../../include
  
• vi httpd.h
  (With Apache 2.x, vi ap_release.h)
  
• Search for:
  #define SERVER_BASEVENDOR "Apache Group"
  #define SERVER_BASEPRODUCT "Apache"
  #define SERVER_BASEREVISION "1.x.xx"
  
• Replace "Apache" and "1.x.xx" with whatever you want your Server and version number to be. (I recommend "Port80Software-Is-A-Fucking-Ripoff" and "Holy-Jumping-Jesus-This-Was-Easy", respectively.)
  
• Save the file.
  
• cd ../..
  (With Apache 2.x, cd ..)
  
• make
  

You're done. Congratulations. You just saved yourself $49 dollars!!!

Re:Free Software Wins again.

[ivan.ristic]

If you're using mod_security on your Apache server then you only need to add one line to the configuration file:

SecServerSignature "MyServer/19.5.1"

Re:This makes sense..

[Eivind]

Except if you'd bothered to check you would notice that Netcraft is fully aware of this, and thus produce different numbers for "web-servers" and "active web-servers" the latter excludes domains which are only parked somewhere.

http://news.netcraft.com/archives/2003/11/03/novem ber_2003_web_server_survey.html Is the latest survey, apache has 67.41 of all domains (well, all that Netcraft knows about anyways) at 30298060 domains.

If you look only at "active" domains, apache has 68.60%, so actually even a *higher* market-share. Of a total of 14370515 active domains. (so according to Netcraft, about half of all registered domains are "active" and the other half are "parked"

Yes they are... check this out

[imtheguru]

i tried their header check for www.apache.org [link is here]

Port80 returned this result:
"We detect that www.apache.org is running Apache/2.0.48-dev (Unix)."

But further down the page is this gem:
"No matter what the above results show, this company may be running Microsoft IIS and protecting its Web server identity with ServerMask."

WTF?!

Re:Yes they are... check this out

[kyrre]

Apperantly servermask is their product. When I try a site I knew running IIS response is like so:

Protect your Web server identity with ServerMask!
Why let anyone find out you're running a Microsoft IIS server? Don't tempt potential hackers!

Try ServerMask FREE for 30 days. Download Now!
Buy ServerMask for only $49.95 today!

No: "No matter what the above results show, this company may be running Apache and protecting its Web server identity with ServerMask."

Security through masking the server string sounds very secure. sigh.

Hey, that's FOUR lines!

[mangu]

So typical of "open sores" zealots...

"EXPERTS CONFIRM: CONFIGURING OPEN SOURCE SOFTWARE IS 300% MORE DIFFICULT THAN ORIGINALLY CLAIMED"