A few weeks ago, a coworker asked me a simple question: How
much of the Internet traffic coming into our network was “junk,” and
how much was this unwanted traffic costing us? Before delving too deeply into
his request, I asked him to define the term junk.
His classification included suspected port scans, attempts to exploit known
weaknesses in applications, and attempted connections to TCP and UDP services
on hosts that didn’t provide those services.
He asked me to generate a list of offending networks that
were the source of junk traffic in the past 30 days. At first, it seemed almost
too easy. However, after only a few hours of work, I realized I had underestimated
how involved a task it really was.
Finally, after a few days of work, I managed to produce a
rather comprehensive list of IP addresses that were sources of junk data. I
used a variety of means to gather this data, including NetFlow data, system log files,
Snort, and a darknet.
In all, approximately 2.8 million distinct IP addresses from
all over the world were responsible for junk traffic on my organization’s
network in the past month. And keep in mind that this doesn’t include delivered
Next, I needed to somehow organize these different IP
addresses into networks and identify where all the junk was coming from. And this
isn’t exactly a simple task when you’re dealing with so much data.
Since my first step was to aggregate the data, I decided to
get a list of the delegated Internet networks from the FTP site of the American
Registry for Internet Numbers (ARIN). However, ARIN uses the Border Gateway
Protocol (BGP), and the smallest network I could focus on was a /24 or Class C
network because of how BGP works.
An hour or two of coding and testing later, and I had an
aggregation tool that ordered the junk-sending IP addresses into worldwide
networks. Of the approximate 250,000 network paths obtained from ARIN and the 2.8
million junk-sending IP addresses, I had a list of roughly 40,000 networks that
were responsible for junk traffic on my organization’s network in the past
Next, I used another program to separate the collected data by
country into ARIN (North America, the Caribbean, and Southern Africa), APNIC
(Asia and the Pacific region), LACNIC (Latin America and the Caribbean), and
RIPE (Europe, the Middle East, Central Asia, and Northern Africa) network
information. That’s when some interesting statistics began to emerge.
Statistically, the majority of junk IP addresses came from inside
the United States, which isn’t surprising. There are millions of Trojaned
Windows systems on the Internet—especially on broadband networks—and the
majority of these systems are in the United States. Hackers worldwide regularly
organize large numbers of compromised Windows systems into “botnets”
and use them for massive DoS attacks or other nefarious activities.
Second on the list for junk Internet traffic was China. This
is somewhat ironic given the country’s strict controls on Internet usage and the
millions of dollars spent on its “Great Firewall of China.”
It’s a good bet, however, that China is more concerned about
what’s coming into the country via the Internet than what’s going out—and
that’s probably why so many junk e-mail organizations use Internet services in
China. Anyone with a “spam-trap” e-mail account can easily confirm
that China is a major source of junk e-mail.
If someone wants to send junk e-mail, there are plenty of
places in China to send it from, and many spam reporting services can confirm
this. In any case, the fact that so many China-delegated IP addresses scanned
for SMTP and various TCP proxy services made it number two on my junk list.
Rounding out the top five on my list of junk Internet traffic
sources were France, Belgium, and Germany. The remaining individual countries
didn’t make the bell curve for the top five, so I simply summed their totals.
Based on the total amount of incoming data for the 30 days
in question, my report showed that approximately 7 percent of all incoming
Internet traffic to my organization’s network fell under the junk traffic
classification. Estimating the cost for bandwidth at about $50 per megabit per
second, the junk traffic costs my organization about $255 per month—or about
However, when compared to our total bandwidth costs, this
amount is pretty inconsequential—and not worth doing anything about. The effort
required to contact the people who manage the networks the junk comes from just
wouldn’t justify the expense, and most of them probably wouldn’t do anything
about the problem anyway. So, like many other Internet problems, the best
solution to dealing with junk Internet traffic is to do nothing at all.
Miss an issue?
Check out the Internet Security Focus
Archive, and catch up on the most recent editions of Jonathan Yarden’s
Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.