republican-creole
Search:  

 
theme to white backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Difference a year makes, good news, bad news
Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Can someone please shed some light on this Alert? »
« PrevX Vulnerability Test.  

jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA

Re: Difference a year makes, good news, bad news

This is the part I found particularly interesting:

. . . about 60% of all logged events of all traffic logged which includes both inbound and outbound traffic, are inbound scans and attacks
Taken in conjunction with your earlier statement that you found over a 300% increase in the number of scans (over the past year), that would suggest to me that, within another year or so, the ratio of unsolicited scans to authentic traffic is gonna start approaching the proportion of spam to authentic e-mail!
--
Regards, Joseph V. Morris
permalink · 2005-03-09 07:38:01 · Print · Reply to this
astirusty
Premium
join:2000-12-23
Henderson, NV
·AT&T Southwest

Re: Difference a year makes, good news, bad news

said by jvmorris See Profile:

This is the part I found particularly interesting:

. . . about 60% of all logged events of all traffic logged which includes both inbound and outbound traffic, are inbound scans and attacks
Taken in conjunction with your earlier statement that you found over a 300% increase in the number of scans (over the past year), that would suggest to me that, within another year or so, the ratio of unsolicited scans to authentic traffic is gonna start approaching the proportion of spam to authentic e-mail!
Maybe when the beancounters at the ISPs start realizing the costs of all the scans (in wasted bandwidth) they will finally decide to act jointly with other ISPs to put an end to it.
1) Start egress and ingress filtering and logging.
2) Start disconnecting users that have systems that are scanning (based on logs).
3) Charge a reinstatement fee for users that were disconnected for systems that were scanning (and SPAMMING).
4) Join together to put some serious pressure on OS vendors that have produced easy to hack systems that come by default with minimal security turned on.

Ohhh, never mind I just woke up and I am back to reality now... They will simply charge everyone higher connection fees.
permalink · 2005-03-09 09:22:43 · Print · Reply to this

jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA

Re: Difference a year makes, good news, bad news

I think there is a certain amount of ingress filtering, at least, being done by at least some ISPs. I did a quick check on the unsolicited inbound probes against my current IP address early this morning, fully 60% of them came from within my own Class B subnet, virtually all of which is (supposedly) residential/home DSL customers. So my ISP must be doing some sort of ingress filtering, at least. (I think Blake's experiences with Shaw(?) show an even higher percentage of users within his own subnet.

If it's now mostly within the subnet (as in my case), then more ingress and outgress filtering is unlikely to do much, I think. Of course, if my ISP simply shut down port 445 probes on its internal routers (within the subnet, that is) that would produce a 50% drop in the number of probes I'm seeing presently here. I don't think there's any practical reason why Port 445 traffic needs to be running around even within an ISP's subnet and that would undoubtedly have a certain impact on the load of the ISP's internal routers. (I've no idea how easy/difficult this is to do with that kind of router, which is far different from what we have in SOHO NAT routers, however.)
--
Regards, Joseph V. Morris
permalink · 2005-03-09 10:19:22 · Print · Reply to this

Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw

Click for full size
*.*.*.*
Click for full size
x.*.*.*
Click for full size
x.x.*.*
In Feb/2005 80% of all inbound 445 scans came from my local netblock x.*.*.*, drilling into this almost 98% came from x.x.*.* and at this level we see the spread of source for 445 scans. Hence you can say the most prevalent worms only vary the last two number of your IP Address when scanning. So if my local ISP wanted to drop their network bandwidth and load, they could by cleaning up locally infected systems or filtering various ports like 445.

I will add these three charts to my page which show this.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel
permalink · 2005-03-09 10:58:33 · Print · Reply to this

jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA

Re: Difference a year makes, good news, bad news

Now that is an interesting set of graphics!

But the last one is kinda scary! (That's the various Class C subnets there, isn't it?)
--
Regards, Joseph V. Morris
permalink · 2005-03-09 11:13:19 · Reply to this
astirusty
Premium
join:2000-12-23
Henderson, NV
·AT&T Southwest
said by Link Logger See Profile:

drilling into this almost 98% came from x.x.*.* and at this level we see the spread of source for 445 scans.
So if we want to clean up the internet of all these scans - we just need to get your entire sub-domain blocked?!?

On a serious note, this information is very interesting. I am taking a SWAG here, but the viruses/worms are setup this way so they draw less attention? Because the hackers know (or believe) the ISPs have not in the past monitored or filtered at these levels??
permalink · 2005-03-09 11:17:16 · Print · Reply to this
Forums » Up and Running » Security » SecurityCan someone please shed some light on this Alert? »
« PrevX Vulnerability Test.  

Wednesday, 09-Dec 00:52:09 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [193] Sprint Sued For Distracted Driving Death
· [81] 3G Network Test Says AT&T Is Tops
· [72] Mediacom Unveils 105 Mbps Pricing
· [62] Sprint Poised For A Turnaround?
· [50] The Future Of Wi-Fi Is Bright
· [49] WPA Cracker: Test WPA-PSK Networks In 20 Minutes
· [47] Site Leaks Yahoo, Verizon Fed Data Share Pricing
· [44] Microwaving Your Innards Is Not 'Extreme'
· [39] Verizon LTE: 5-12 Mbps Downstream
· [20] AT&T Releases Network Reporting iPhone App
Most people now reading
· Comcast refused to install 400' feet. [Comcast HSI]
· Man Downloads Child Porn "Accidentally," Faces 20 Years [Security]
· SB6120 Firmware update [Comcast HSI]
· [How to] Install Asterisk on an Asus WL-520GU router [VOIP Tech Chat]
· IMG 1.7 (IMG Updates and Discussion) [Verizon FIOS TV]
· Windows 7 boot manager editing questions [Microsoft Help]
· Using DIR-615 C1/3.01 with Trendnet TEW-652BRP in N Mode [D-Link]
· ICC Strats??? [World of Warcraft]
· Maximizing Rogue DPS for 3.1 [World of Warcraft]
· Unexpected network packet storms [Wireless Service Providers]