Inbound Traffic Report

September 1 - 17, 2004

This could be considered a baseline for background noise on the internet as there were no major new events.  This system is on a residential high speed cable network and doesn't have any internet services (web server for example) or P2P applications.

Summary

Total Inbound Events: 129,330

Unique Sources: 14,739

Unique Ports: 181

Events: No major events occurred during this period.

The spike on September 5 was the result of ICMP traffic back from some external security scans.

 The spike on September 7 was the result of a LAN user playing StarCraft online via battlenet (TCP Port 6112).

Most of the inbound traffic is from worms that use a weighted algorithm for generating IP addresses to scan and this weighting favour scanning local netblocks.

Easily the most commonly scanned ports are TCP ports 445, and 135.

Spikes on September 4th and 16th are the result of external security scans (ie Port Unreachable messags).

Top Five Sources

We see the top two sources were likely infected with AGOBot version worms that scanned multiple ports and scanned pretty hard but were shut down fairly quickly; the others scanned at a much slower rate but have been scanning far longer.

Miscellaneous

One of our top ten scanners is a prime example of a serially infected system as the ports scanned have changed since May indicating that the system has been infected with different worms at different times.

Typically inbound ports 1026 – 1029 are used for Messenger spam.

Page last updated on September 18, 2004