RE: Information Needed on Malicious Traffic

From: Bojan Zdrnja (Bojan.Zdrnjaat_private)
Date: Thu Jul 10 2003 - 20:48:24 PDT

Next message: Dietmar Goldbeck: "Re: Information Needed on Malicious Traffic"

Previous message: Jim Butterworth: "RE: Information Needed on Malicious Traffic"
In reply to: Piyush Bhatnagar: "Information Needed on Malicious Traffic"
Next in thread: Dietmar Goldbeck: "Re: Information Needed on Malicious Traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: Piyush Bhatnagar [mailto:piyushat_private] 
> Sent: Thursday, 10 July 2003 1:23 p.m.
> To: incidentsat_private
> Subject: Information Needed on Malicious Traffic
> 
> 
> In your opinion, what percentage of traffic entering your networks (and on
> the internet) would you consider as dirty? By Dirty traffic I mean to
refer
> to the traffic that is un-desired or malicious which could contain traffic
> related to attacks, probes, spam etc.
> 
> I have read a few white papers from some security product vendors and the
> claims range from 5% to 30%.

My suggestion would be not to include spam into this. It is certanly
unwanted, but it's not malicious.
Other than that, spam takes quite a bit of e-mail traffic.

At few organizations I had experience with (and they are very huge), spam
takes about 20% of all e-mail messages.
On top of that sits about 2% (roughly, considering number of daily messages)
of e-mail messages with malicious content (worms, viruses etc.).

Malicious traffic takes less - most consists of networks scanning and
inevitable nimda/code red attacks on Web servers.

It's hard to say what percentage of traffic that is - traffic is huge for
huge networks and if they are on private IP space, you won't see much of
'dirty' traffic. In those cases malicious traffic takes less than 0.1%, from
my experience.

On the other side, on networks which are wide open this can go pretty high,
but from my experience usually no more than few percent. Keep in mind that
huge networks like universities, with very fast links, do a lot of traffic.

Hope this helps.

Bojan Zdrnja


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Dietmar Goldbeck: "Re: Information Needed on Malicious Traffic"
Previous message: Jim Butterworth: "RE: Information Needed on Malicious Traffic"
In reply to: Piyush Bhatnagar: "Information Needed on Malicious Traffic"
Next in thread: Dietmar Goldbeck: "Re: Information Needed on Malicious Traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 11 2003 - 11:07:03 PDT