I would offer that any number, without some serious metrics behind it,
is a swag, and only applies within the area (network) studied. For
instance, I have not done a study personally, but would bet that
military networks see the higher degree of attempts than, say,
happymom.com sort of sites. They are both connected to the internet,
but one is a target of opportunity and a defaced website might mean the
difference between being accepted by a hacker group, and continuing an
amateur career as a script kiddie.
The same would hold true for financial institutions vs. business
storefronts.
I think a real interesting statistic would be the amount of malicious
packets that emanate from county library and internet cafés. As these
are largely unregulated, my guess is that these would be a hot bed of
activity.
I can tell you that on the network I defend the number is less than 1%.
This is most likely due to our placement within the Global Information
Grid, and the defensive measures between "Us" and "Them". To give you
some bandwidth stats, inside our backbone (ATM) we run about 35%
loading, and outside our edge switches (100MB 802) we average about an
85% load. Our network averaged on the area of 450,000 SNORT alerts a
day. By definition, all these packets (most admittedly false positives)
met the criteria of an alert based upon a rule. Is this a "malicious"
packet? Depends on the degree of maliciousness you are after. You
might try and narrow your search pattern down a little bit.
Warmest Regards,
Jim Butterworth, GCIA
"I'd rather try and fail, than do nothing and succeed"
- Robert Schuller
-----Original Message-----
From: Piyush Bhatnagar [mailto:piyushat_private]
Sent: Wednesday, July 09, 2003 6:23 PM
To: incidentsat_private
Subject: Information Needed on Malicious Traffic
Hi All,
I am doing some research on the amount of malicious traffic on the
internet.
In your opinion, what percentage of traffic entering your networks (and
on
the internet) would you consider as dirty? By Dirty traffic I mean to
refer
to the traffic that is un-desired or malicious which could contain
traffic
related to attacks, probes, spam etc.
I have read a few white papers from some security product vendors and
the
claims range from 5% to 30%.
Any responses will be welcome.
Thanks,
Piyush
-
Regards, Piyush
==========================
Piyush Bhatnagar, CISSP
piyushat_private
==========================
------------------------------------------------------------------------
----
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the
world's premier technical IT security event! 10 tracks, 15 training
sessions,
1,800 delegates from 30 nations including all of the top experts, from
CSO's to
"underground" security specialists. See for yourself what the buzz is
about!
Early-bird registration ends July 3. This event will sell out.
www.blackhat.com
------------------------------------------------------------------------
----
----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jul 11 2003 - 11:05:36 PDT