NETI@home Data Analyzed

An anonymous reader writes "The NETI@home Internet traffic statistics project (featured in Wired and Slashdot previously) has a quick analysis on the malicious traffic they observed. It's a rough world out there." Perhaps not suprising, but still disheartening, the researchers find among other things that a large portion of typical end-user traffic consists of malicious connection attempts.

Re:RBL of infected/malicious sites?

[14erCleaner]

It would be nice if I could filter, say, ssh traffic coming from "known" naughty sites

From the abstract of their paper:

Finally, we look at activity relative to the IP address space and observe that the sources of malicious traffic are spread across the allocated range.

So the answer is no, you can't filter effectively for bad sites.

malicious?

[delirium+of+disorder]

I've only scimmed the paper, but from the looks of it, a lot of not all that harmful trafic could be labeled "malicious", for example nmap port scans. I use them all the time, not to find valunerable services, but for more general sysadmin stuff.

Re:Root of the problem

[Wolf2989]

Ahh but herein lies the problem. As a previous employee of an ISP we'd be willing to bend over backwards to make a customer happy. This means NOT turning off their access when we detected a worm/trojan etc. Sure, we would null route their IP's if they were partaking in a DDOS or something, but a simple virus we'd *help* them by informing them. You don't make money in this world by shutting people off. I for one say null route them, but you have to think of it from a reality standpoint (Regardless of how askew that standpoint may be).

Re:RBL of infected/malicious sites?

[glesga_kiss]

There are some. This site has several different blocklists, such as ad-hosts, anti-p2p bodies, spyware companies, hackers, trackers, trojans etc. The link above lists what's available. Sure, the lists aren't 100% acurate, but they are a lot better than nothing.

Very highly recommended. With the case of p2p, it's good to keep your head down. It's the tall ones that get their heads chopped off...

They also have software to convert the lists to various formats for use in different firewalls. iptables fans should check out "linblock". Beware though, a large list can take an hour to parse on your typical recycled firewall box, but the tool merges the ranges to keep the tables as short as possible.

Recent Worms DO organize to manage utilization

[billstewart]

Most of the interesting recent viruses *do* have some level of organization to reduce duplication of effort, and the postulated "Warhol Worms" designed to take over the entire Internet in 15 minutes would need to do so, because otherwise they're not as effective. Some of them pre-scan the net to find a list of vulnerable machines to infect first, and then haul around parts of the list. Others partition the address space quasi-deterministically (e.g. Phase 1 scans all of the valid /8 address spaces until it's infected some machine in each one, Phase 2 scans all of the 256 /16 address spaces within its /8 until it's affected one in each, Phase 3 scans all of the 256 /24 addresses within its /16, Phase 4 scans all the 256 addresses within its /24.

Code Red II implemented a randomized variant on this: "1/8th of the time, CodeRedII probes a completely random IP address. 1/2 of the time, CodeRedII probes a machine in the same /8 (so if the infected machine had the IP address 10.9.8.7, the IP address probed would start with 10.), while 3/8ths of the time, it probes a machine on the same /16 (so the IP address probed would start with 10.9.)" It means the worms don't have to keep track of phases, but it gets similar effects, and while there is more chance of overlap, it's not too high until the worm's infected most of the net, and the added random searches help make up for machines that didn't successfully infect their netblocks due to firewalls or failures or simple slowness.

At least one worm that took this sort of approach had a bad random number generator, so it kept hitting the same territory too hard and missing other wide-open spaces, which protected a few parts of the net from infection.

List of Zombie Blocklists (+ other Bad-Site-BLs)

[billstewart]

Spamlinks's list of Zombie Blocklists also has other types of block lists on that page (RBLs, Open Proxy blocklists, Known Spammer blocklists, etc.).