News:

Facebook killed the radio star. And by radio star, I mean the premise of distributed forums around the internet. And that got got by Instagram/SnapChat. And that got got by TikTok. Where the fuck is the internet we once knew?

Main Menu

LANL attack statistics

Started by zorm, August 25, 2005, 11:02:48 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

zorm

http://www.lamonitor.com/articles/2005/08/25/headline_news/news03.txt
Quote
On a $15 million a year budget, Los Alamos National Laboratory is waging a daily battle against a barrage of threats to its computer network.

Alexander D. Kent, deputy group leader for the lab's network engineering group, said 25,000 computers processing about 850 gigabytes of data in 20 million legitimate sessions a day are facing a growing risk.

A graph of Internet sessions between May and mid-August this year shows at least five million "malicious" sessions on slow days and 10-15 million during peaks.

On weekends, when LANL activity slows, 90 percent or more of the computer activity appears to be malicious.

Malicious activity could mean anything from a sophisticated hacker or terrorist or a foreign intelligence operative to unsophisticated pranksters and adolescent mischief.

The lab protects itself with network firewalls for its public network and "air gaps" - compartmentalization - for its classified net.

The numbers they have given a rather impressive. I'd never have thought that they would be getting 5 million on slow days.
"Frustra fit per plura quod potest fieri per pauciora"
- William of Ockham

deadly7

What IS the Los Alamos Natoinal Laboratory?
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
[17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

RoMi

-RoMi

c0n


iago

Incidentally, most of what they see is automated attacks. 

We have 2 class C spaces, and SQL Slammer hits us approximately once/second.  Thats about 86,000 times/day.  We've seen that get up to 150,000 times on a bad day.  And that's just on a very limited number of IPs, and just for a single worm; scale that up to the 25,000 computers they mentioned in their report, and I'd predict that they see SQL Slammer 4.8 million times/day:

We have 512 IPs
We see slammer 100,000 times/day
They have 25000
(25000 / 512) * 100,000
= They see it 4,882,813 times/day

If you start counting Sasser and Blaster, you'll probably see even more attacks (but it's harder to detect those, since they require a TCP session to be established before they can be detected and the firewall blocks that).  Then if you start looking at bots that use automated attacks (like this one and even this one, you start to see an awful lot of noise on the Internet. 

I'm guessing that in their report, they are including all the automated bots/worms that are constantly scanning.  Which means there are actually very few targetting hacking attacks, but there is a TON of noise on the wires. 

This is why ISPs should be proactive, like mine, and block ports.  Mine blocks 135, 139, 445 (Windows - Sasser/Blaster/Zotob/etc), 1433, 1434 (SQL Slammer, Saphire, etc) as well as commonly used trojan ports.  This isn't going to solve every problem ever made, but it's going to clean it up a lot.  I see very few automated attacks coming across my line. 


RoMi

It's amazing your ISP keeps port 80 open iago, ISP's around me are beginning to block that even.
-RoMi

iago

Yeah, it's nice of them.  I don't think they plan to block port 80 (if they do, I'll switch to the other local one that is both faster and doesn't block at all instantly). 


Sidoh