A few weeks ago, a coworker asked me a simple question: How much of the Internet traffic coming into our network was "junk," and how much was this unwanted traffic costing us? Before delving too deeply into his request, I asked him to define the term junk. His classification included suspected port scans, attempts to exploit known weaknesses in applications, and attempted connections to TCP and UDP services on hosts that didn't provide those services.
He asked me to generate a list of offending networks that were the source of junk traffic in the past 30 days. At first, it seemed almost too easy. However, after only a few hours of work, I realized I had underestimated how involved a task it really was.
Finally, after a few days of work, I managed to produce a rather comprehensive list of IP addresses that were sources of junk data. I used a variety of means to gather this data, including NetFlow data, system log files, Snort, and a darknet.
In all, approximately 2.8 million distinct IP addresses from all over the world were responsible for junk traffic on my organization's network in the past month. And keep in mind that this doesn't include delivered junk e-mail.
Next, I needed to somehow organize these different IP addresses into networks and identify where all the junk was coming from. And this isn't exactly a simple task when you're dealing with so much data.
Since my first step was to aggregate the data, I decided to get a list of the delegated Internet networks from the FTP site of the American Registry for Internet Numbers (ARIN). However, ARIN uses the Border Gateway Protocol (BGP), and the smallest network I could focus on was a /24 or Class C network because of how BGP works.
An hour or two of coding and testing later, and I had an aggregation tool that ordered the junk-sending IP addresses into worldwide networks. Of the approximate 250,000 network paths obtained from ARIN and the 2.8 million junk-sending IP addresses, I had a list of roughly 40,000 networks that were responsible for junk traffic on my organization's network in the past month.
Next, I used another program to separate the collected data by country into ARIN (North America, the Caribbean, and Southern Africa), APNIC (Asia and the Pacific region), LACNIC (Latin America and the Caribbean), and RIPE (Europe, the Middle East, Central Asia, and Northern Africa) network information. That's when some interesting statistics began to emerge.
Statistically, the majority of junk IP addresses came from inside the United States, which isn't surprising. There are millions of Trojaned Windows systems on the Internet—especially on broadband networks—and the majority of these systems are in the United States. Hackers worldwide regularly organize large numbers of compromised Windows systems into "botnets" and use them for massive DoS attacks or other nefarious activities.
Second on the list for junk Internet traffic was China. This is somewhat ironic given the country's strict controls on Internet usage and the millions of dollars spent on its "Great Firewall of China."
It's a good bet, however, that China is more concerned about what's coming into the country via the Internet than what's going out—and that's probably why so many junk e-mail organizations use Internet services in China. Anyone with a "spam-trap" e-mail account can easily confirm that China is a major source of junk e-mail.
If someone wants to send junk e-mail, there are plenty of places in China to send it from, and many spam reporting services can confirm this. In any case, the fact that so many China-delegated IP addresses scanned for SMTP and various TCP proxy services made it number two on my junk list.
Rounding out the top five on my list of junk Internet traffic sources were France, Belgium, and Germany. The remaining individual countries didn't make the bell curve for the top five, so I simply summed their totals.
Based on the total amount of incoming data for the 30 days in question, my report showed that approximately 7 percent of all incoming Internet traffic to my organization's network fell under the junk traffic classification. Estimating the cost for bandwidth at about $50 per megabit per second, the junk traffic costs my organization about $255 per month—or about $3,060 annually.
However, when compared to our total bandwidth costs, this amount is pretty inconsequential—and not worth doing anything about. The effort required to contact the people who manage the networks the junk comes from just wouldn't justify the expense, and most of them probably wouldn't do anything about the problem anyway. So, like many other Internet problems, the best solution to dealing with junk Internet traffic is to do nothing at all.
Miss an issue?
Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden's column.
Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.