Incidentally, most of what they see is automated attacks.
We have 2 class C spaces, and
SQL Slammer hits us approximately once/second. Thats about 86,000 times/day. We've seen that get up to 150,000 times on a bad day. And that's just on a very limited number of IPs, and just for a single worm; scale that up to the 25,000 computers they mentioned in their report, and I'd predict that they see SQL Slammer 4.8 million times/day:
We have 512 IPs
We see slammer 100,000 times/day
They have 25000
(25000 / 512) * 100,000
= They see it 4,882,813 times/day
If you start counting Sasser and Blaster, you'll probably see even more attacks (but it's harder to detect those, since they require a TCP session to be established before they can be detected and the firewall blocks that). Then if you start looking at bots that use automated attacks (like
this one and even
this one, you start to see an awful lot of noise on the Internet.
I'm guessing that in their report, they are including all the automated bots/worms that are constantly scanning. Which means there are actually very few targetting hacking attacks, but there is a TON of noise on the wires.
This is why ISPs should be proactive, like mine, and block ports. Mine blocks 135, 139, 445 (Windows - Sasser/Blaster/Zotob/etc), 1433, 1434 (SQL Slammer, Saphire, etc) as well as commonly used trojan ports. This isn't going to solve every problem ever made, but it's going to clean it up a lot. I see very few automated attacks coming across my line.
