Re: Information Needed on Malicious Traffic

From: Dietmar Goldbeck (goldbeck@e-trend.de)
Date: Thu Jul 10 2003 - 16:42:07 PDT

Next message: Vern Paxson: "Re: Information Needed on Malicious Traffic"

Previous message: Bojan Zdrnja: "RE: Information Needed on Malicious Traffic"
In reply to: Piyush Bhatnagar: "Information Needed on Malicious Traffic"
Next in thread: Vern Paxson: "Re: Information Needed on Malicious Traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jul 09, 2003 at 09:22:58PM -0400, Piyush Bhatnagar wrote:
> Hi All,
> 
> I am doing some research on the amount of malicious traffic on the internet.
> 
> In your opinion, what percentage of traffic entering your networks (and on
> the internet) would you consider as dirty? By Dirty traffic I mean to refer
> to the traffic that is un-desired or malicious which could contain traffic
> related to attacks, probes, spam etc.
> 
> I have read a few white papers from some security product vendors and the
> claims range from 5% to 30%.
> 

I don't think this percentage makes sense from a statistical point of view.

About 1000 to 2000 alerts a logged daily on the firewall and snort for
a /29 range of IPs. This varies far less than my traffic.

Depending whether i update my debian mirror or even shutdown my
applications, i can calculate any percentage between 1% and 100% (yes,
there are a lot of attacks on unused ip space...).

You have the same statistical problem for a typical webserver.
It receives requests from a lot of infected machines. The
number of those worm/virus caused requests has IMHO little to do
with the actual load of useful requests. 

OTOH we have detailed Mailserver stats here (postfix with spamassasin)
showing that SPAM is currently around 50% of the messages (sorry, no
statistics on byte count handy)

IMHO statistics how long a machine can survive without being
compromised are more interesting. The honeynet project has some
numbers.  Judging my firewall/snort logs, i guess it takes only a few
days until some "first audit" has been done and most known bugs are
exploited :-)) 

-- 
 Alles Gute / best wishes  
     Dietmar Goldbeck         E-Mail: dietmar.goldbeckat_private
Reporter (to Mahatma Gandhi): Mr Gandhi, what do you think of Western
Civilization?  Gandhi: I think it would be a good idea.

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Vern Paxson: "Re: Information Needed on Malicious Traffic"
Previous message: Bojan Zdrnja: "RE: Information Needed on Malicious Traffic"
In reply to: Piyush Bhatnagar: "Information Needed on Malicious Traffic"
Next in thread: Vern Paxson: "Re: Information Needed on Malicious Traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 11 2003 - 11:08:50 PDT