RE: Information Needed on Malicious Traffic

From: David Klotz (klotzat_private)
Date: Thu Jul 10 2003 - 09:19:21 PDT

Next message: Christian Vogel: "Re: Strange CONNECT entries in apache logs"

Previous message: Richard Bartlett: "Possible DOS on Cisco 2651 router?"
Next in thread: Chris Ricker: "RE: Information Needed on Malicious Traffic"
Reply: Chris Ricker: "RE: Information Needed on Malicious Traffic"
Reply: Mike: "Re: Information Needed on Malicious Traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I can't find a reference to this now, but at Vern Paxon's talk at the
1999 USENIX Workshop on Intrusion Detection he claimed that malicious
packets and broken packets are essentially indistinguishable.  Obviously
this wouldn't apply to certain obviously intrusions attempts (like a GET
cmd.exe in your logs, or something similar) but if true I would have to
imagine it would cast serious doubt on just about any hard number you
could find.  

A workshop program is at
http://www.usenix.org/events/detection99/brochure/tech02.html but it
doesn't mention this particular claim.


-dk



> -----Original Message-----
> From: Piyush Bhatnagar [mailto:piyushat_private] 
> Sent: Wednesday, July 09, 2003 8:23 PM
> To: incidentsat_private
> Subject: Information Needed on Malicious Traffic
> 
> 
> Hi All,
> 
> I am doing some research on the amount of malicious traffic 
> on the internet.
> 
> In your opinion, what percentage of traffic entering your 
> networks (and on the internet) would you consider as dirty? 
> By Dirty traffic I mean to refer to the traffic that is 
> un-desired or malicious which could contain traffic related 
> to attacks, probes, spam etc.
> 
> I have read a few white papers from some security product 
> vendors and the claims range from 5% to 30%.
> 
> Any responses will be welcome.
> 
> Thanks,
> Piyush
> 
> -
> Regards, Piyush
> ==========================
> Piyush Bhatnagar, CISSP
> piyushat_private
> ==========================
> 
> 
> --------------------------------------------------------------
> --------------
> Attend the Black Hat Briefings & Training, July 28 - 31 in 
> Las Vegas, the 
> world's premier technical IT security event! 10 tracks, 15 
> training sessions, 
> 1,800 delegates from 30 nations including all of the top 
> experts, from CSO's to 
> "underground" security specialists.  See for yourself what 
> the buzz is about!  
> Early-bird registration ends July 3.  This event will sell 
> out. www.blackhat.com
> --------------------------------------------------------------
> --------------
> 
> 


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Christian Vogel: "Re: Strange CONNECT entries in apache logs"
Previous message: Richard Bartlett: "Possible DOS on Cisco 2651 router?"
Next in thread: Chris Ricker: "RE: Information Needed on Malicious Traffic"
Reply: Chris Ricker: "RE: Information Needed on Malicious Traffic"
Reply: Mike: "Re: Information Needed on Malicious Traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 10 2003 - 13:10:21 PDT