> I can't find a reference to this now, but at Vern Paxon's talk at the > 1999 USENIX Workshop on Intrusion Detection he claimed that malicious > packets and broken packets are essentially indistinguishable. More specifically, *some* malicious packets (in particular, those used to facilitate evasion) look a lot like the broken-but-benign packets that you see in any large traffic stream. This is discussed further in the section on "crud" in the Computer Networks version of the Bro paper: http://www.icir.org/vern/papers/bro-CN99.html That said, however, most malicious packets (e.g., scans) don't look broken. So in principle, it would be possible to cobble together some sort of estimate regarding the portion of traffic that's hostile. The particular number is going to depend a lot on the units. For example, LBL exchanges around 1.5 billion packets/day - virtually all of these, proportionally, are benign. On the other hand, it engages in around 9 million distinct TCP connections or attempted connections a day (at least, that was yesterday's figure), and a good chunk of these are hostile (scans), perhaps more than half. Vern ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jul 11 2003 - 11:29:12 PDT