jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| reply to Link Logger
Re: Difference a year makes, good news, bad news
This is the part I found particularly interesting:
. . . about 60% of all logged events of all traffic logged which includes both inbound and outbound traffic, are inbound scans and attacks Taken in conjunction with your earlier statement that you found over a 300% increase in the number of scans (over the past year), that would suggest to me that, within another year or so, the ratio of unsolicited scans to authentic traffic is gonna start approaching the proportion of spam to authentic e-mail!
--
Regards, Joseph V. Morris |
|
astirusty
Premium
join:2000-12-23
Henderson, NV
 ·AT&T Southwest
| said by jvmorris  :This is the part I found particularly interesting: . . . about 60% of all logged events of all traffic logged which includes both inbound and outbound traffic, are inbound scans and attacks Taken in conjunction with your earlier statement that you found over a 300% increase in the number of scans (over the past year), that would suggest to me that, within another year or so, the ratio of unsolicited scans to authentic traffic is gonna start approaching the proportion of spam to authentic e-mail! Maybe when the beancounters at the ISPs start realizing the costs of all the scans (in wasted bandwidth) they will finally decide to act jointly with other ISPs to put an end to it.
1) Start egress and ingress filtering and logging.
2) Start disconnecting users that have systems that are scanning (based on logs).
3) Charge a reinstatement fee for users that were disconnected for systems that were scanning (and SPAMMING).
4) Join together to put some serious pressure on OS vendors that have produced easy to hack systems that come by default with minimal security turned on.
Ohhh, never mind I just woke up and I am back to reality now... They will simply charge everyone higher connection fees. |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| I think there is a certain amount of ingress filtering, at least, being done by at least some ISPs. I did a quick check on the unsolicited inbound probes against my current IP address early this morning, fully 60% of them came from within my own Class B subnet, virtually all of which is (supposedly) residential/home DSL customers. So my ISP must be doing some sort of ingress filtering, at least. (I think Blake's experiences with Shaw(?) show an even higher percentage of users within his own subnet.
If it's now mostly within the subnet (as in my case), then more ingress and outgress filtering is unlikely to do much, I think. Of course, if my ISP simply shut down port 445 probes on its internal routers (within the subnet, that is) that would produce a 50% drop in the number of probes I'm seeing presently here. I don't think there's any practical reason why Port 445 traffic needs to be running around even within an ISP's subnet and that would undoubtedly have a certain impact on the load of the ISP's internal routers. (I've no idea how easy/difficult this is to do with that kind of router, which is far different from what we have in SOHO NAT routers, however.)
--
Regards, Joseph V. Morris |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| reply to jvmorris
In Feb/2005 80% of all inbound 445 scans came from my local netblock x.*.*.*, drilling into this almost 98% came from x.x.*.* and at this level we see the spread of source for 445 scans. Hence you can say the most prevalent worms only vary the last two number of your IP Address when scanning. So if my local ISP wanted to drop their network bandwidth and load, they could by cleaning up locally infected systems or filtering various ports like 445.
I will add these three charts to my page which show this.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
|  Now that is an interesting set of graphics! 
But the last one is kinda scary! (That's the various Class C subnets there, isn't it?)
--
Regards, Joseph V. Morris |
|
astirusty
Premium
join:2000-12-23
Henderson, NV
·AT&T Southwest
| reply to Link Logger
said by Link Logger :drilling into this almost 98% came from x.x.*.* and at this level we see the spread of source for 445 scans. So if we want to clean up the internet of all these scans - we just need to get your entire sub-domain blocked?!?  
On a serious note, this information is very interesting. I am taking a SWAG here, but the viruses/worms are setup this way so they draw less attention? Because the hackers know (or believe) the ISPs have not in the past monitored or filtered at these levels?? |
|
