What do they want?

Most hackers are looking for spam relays; others want to spread worms or gain control of your computers.

One million, seven hundred thousand security alerts during a two-week stretch in July seems like a lot. But it doesn't faze John Clarke, general manager of i-Trap Internet Security Services.

Clarke and his team of security analysts monitor three intrusion-detection sensors that sit on the backbone of a regional ISP in Cleveland and weed out the serious attacks from the Internet background noise that reaches out and touches the network daily.

To Clarke, it's all a matter of perspective.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

One million, seven hundred thousand security alerts during a two-week stretch in July seems like a lot. But it doesn't faze John Clarke, general manager of i-Trap Internet Security Services.

Clarke and his team of security analysts monitor three intrusion-detection sensors that sit on the backbone of a regional ISP in Cleveland and weed out the serious attacks from the Internet background noise that reaches out and touches the network daily.

To Clarke, it's all a matter of perspective.

With a minimum of 3.3 billion packets flowing across this network backbone in any given two-week period, having only 0.052% of those packets tagged as possible security events is not all that worrisome. However, that number of alerts has tripled in the past six months. And that is scary.

If you drill down, of those 1.7 million alerts, 120,000 are likely false positives, a conservative estimate based on i-Trap's experience.

Another 765,000 are alerts that are triggered by network scanning operations, rather than actual attacks.

That brings the number of potentially serious attacks down to 800,000.

Bringing it down one more notch, an average corporate customer with a midsize network served by this ISP likely would see 32,000 security alerts in any recent two-week period.

Thirty-two thousand is certainly better than 1.7 million, but the frightening fact is that it takes only one dangerous attack to wreak havoc on your network. The point is, you still have to watch these alerted events carefully over a period of time to ascertain what's noise and what's noxious.

Based on the long-term view of the monitored network, we asked Clarke and his team to weed through our data set and pinpoint the top 10 red flags. Here they are in order of volume.

1: Snort alert: Proxy rules
Number of alerts: 592,171
Possible malicious intent: Use proxy as spam relay
Almost all these are inbound scans. If an attacker finds an open proxy server, he can use this as a jumping point to disguise his identity and launch attacks against other hosts. A pattern change here will alert us to a proxy that was found and is being used.

2: Snort alert: MS-SQL Worm propagation attempt OUTBOUND
Number of alerts: 373,107
Possible malicious intent: Worm propagation
This alerts us that one of our customers has caught the MS-SQL Slammer Worm, and it is attempting to spread itself. In this case, one source address inside the network was responsible for hitting 99.9% of the destination IP addresses, which shows that the worm was randomly probing addresses, but only sent one attempt to each target. The ISP does not want its customers to contribute to the worm propagation problem, so it would notify the customer who owns the infected machine before complaints are sent from other networks.

3: Snort alert: BAD-TRAFFIC loopback traffic
Number of alerts: 26,770
Possible malicious intent: Spoofing
Of these alerts, those with a source IP address of 127.0.0.1 signify spoofed traffic. Tracing this packet back to its true source is difficult, if not impossible. On an incorrectly configured machine (or one with out-of-date patches), this spoofing method could trick the machine into thinking it was talking to itself, giving an attacker the ability to send spam or steal information from the target.