Thanks for all thouse who responsed. I have some further questions that will help my research. What percentage of the incoming traffic is dropped by your firewall/IPS/IDS rules? That is, what is the percentage of traffic DROPPED before it enters your network ? Any answers are much appreciated. - Regards, Piyush ========================== Piyush Bhatnagar, CISSP piyushat_private ========================== ----- Original Message ----- From: "Vern Paxson" <vernat_private> To: "David Klotz" <klotzat_private> Cc: "'Piyush Bhatnagar'" <piyushat_private>; <incidentsat_private> Sent: Friday, July 11, 2003 3:43 AM Subject: Re: Information Needed on Malicious Traffic > > I can't find a reference to this now, but at Vern Paxon's talk at the > > 1999 USENIX Workshop on Intrusion Detection he claimed that malicious > > packets and broken packets are essentially indistinguishable. > > More specifically, *some* malicious packets (in particular, those used to > facilitate evasion) look a lot like the broken-but-benign packets that > you see in any large traffic stream. This is discussed further in the > section on "crud" in the Computer Networks version of the Bro paper: > > http://www.icir.org/vern/papers/bro-CN99.html > > That said, however, most malicious packets (e.g., scans) don't look broken. > So in principle, it would be possible to cobble together some sort of > estimate regarding the portion of traffic that's hostile. The particular > number is going to depend a lot on the units. For example, LBL exchanges > around 1.5 billion packets/day - virtually all of these, proportionally, > are benign. On the other hand, it engages in around 9 million distinct > TCP connections or attempted connections a day (at least, that was yesterday's > figure), and a good chunk of these are hostile (scans), perhaps more than > half. > > Vern > > -------------------------------------------------------------------------- -- > Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the > world's premier technical IT security event! 10 tracks, 15 training sessions, > 1,800 delegates from 30 nations including all of the top experts, from CSO's to > "underground" security specialists. See for yourself what the buzz is about! > Early-bird registration ends July 3. This event will sell out. www.blackhat.com > -------------------------------------------------------------------------- -- > ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Jul 13 2003 - 10:46:39 PDT