How dangerous is the Internet anyway? We've all read about cyberterrorists, identity thieves, industrial saboteurs, credit card crooks, Web site vandals, hackers, crackers and script kiddies. But just how bad is it? Who's out there? Where are they coming from? And what do they want?
To answer these questions, we took a snapshot of Internet activity from three angles: on the Internet backbone for a look at raw traffic; directly outside an enterprise network; and at the firewall level of a group of corporate customers.
To see malicious traffic directly on the Internet backbone, we consulted i-Trap Internet Security Services in Cleveland. I-Trap tracked and analyzed a two-week sampling of surreptitious Internet activity collected from a regional ISP's trio of Snort-based intrusion-detection sensors. This data provides an in-depth view of attacks being thrown at corporate networks once the hackers have completed their scans and know their targets.
We tapped into an intrusion tracking and prevention system built by ForeScout Technologies sitting on the edge of a 10,000-node enterprise network serving Israel's largest university. There we could track what network reconnaissance was being done and pinpoint exactly which hackers were coming back to do damage.
We also tracked firewall logs for 24 corporate customers on i-Trap's network. (See an online charting showing the most frequently blocked ports .)
What we found is, well, in a word, spooky - in terms of the sheer amount of potential scans coming at any given network, the variety of ways hackers are looking to get into your network, the tenacity these hackers show and the fact that these attacks are coming at you from all corners of the globe, day and night.
Here's what we found:
• The amount of potentially dangerous Internet traffic has tripled in some cases in just the past six months.
• Reconnaisance is a key contributor to the Internet background noise. Our samples show that between 45% and 55% of suspicious activity is hackers scanning for targets.
• Most hack attempts are the result of automated, scripted attacks launched from previously compromised machines.
• The main reasons hackers targeted these networks were to find computers they could use to relay spam, locate extra storage space for illicit files, and to take over machines that could be used as launching points for future attacks.