I would offer that any number, without some serious metrics behind it, is a swag, and only applies within the area (network) studied. For instance, I have not done a study personally, but would bet that military networks see the higher degree of attempts than, say, happymom.com sort of sites. They are both connected to the internet, but one is a target of opportunity and a defaced website might mean the difference between being accepted by a hacker group, and continuing an amateur career as a script kiddie. The same would hold true for financial institutions vs. business storefronts. I think a real interesting statistic would be the amount of malicious packets that emanate from county library and internet cafés. As these are largely unregulated, my guess is that these would be a hot bed of activity. I can tell you that on the network I defend the number is less than 1%. This is most likely due to our placement within the Global Information Grid, and the defensive measures between "Us" and "Them". To give you some bandwidth stats, inside our backbone (ATM) we run about 35% loading, and outside our edge switches (100MB 802) we average about an 85% load. Our network averaged on the area of 450,000 SNORT alerts a day. By definition, all these packets (most admittedly false positives) met the criteria of an alert based upon a rule. Is this a "malicious" packet? Depends on the degree of maliciousness you are after. You might try and narrow your search pattern down a little bit. Warmest Regards, Jim Butterworth, GCIA "I'd rather try and fail, than do nothing and succeed" - Robert Schuller -----Original Message----- From: Piyush Bhatnagar [mailto:piyushat_private] Sent: Wednesday, July 09, 2003 6:23 PM To: incidentsat_private Subject: Information Needed on Malicious Traffic Hi All, I am doing some research on the amount of malicious traffic on the internet. In your opinion, what percentage of traffic entering your networks (and on the internet) would you consider as dirty? By Dirty traffic I mean to refer to the traffic that is un-desired or malicious which could contain traffic related to attacks, probes, spam etc. I have read a few white papers from some security product vendors and the claims range from 5% to 30%. Any responses will be welcome. Thanks, Piyush - Regards, Piyush ========================== Piyush Bhatnagar, CISSP piyushat_private ========================== ------------------------------------------------------------------------ ---- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ------------------------------------------------------------------------ ---- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jul 11 2003 - 11:05:36 PDT