Link Logger Home ZyXel Banner Binary Visions

Year Comparison
Link Logger for Windows
Home Home Product Info Product Info Download Download/Purchase Support Support  
Link Logger for Windows

NewsLatest News

Screen ShotsScreenshots

Customer CommentsFeedback

Common ScansScans

Additional ResourcesResources

Additional ResourcesMy Articles

My BlogMy Blog

Scans and Attacks

Comparison of February 2004 to February 2005

Using Link Logger we are able to compare alerts and attacks for February 2004 and February 2005 from the same system which show some interesting changes in internet worms, attacks and scans.  While the number of scan/attack sources is down about 20% the number of attacks and scans is up about 370%, also the leading types of scans and attacks have change significantly in a year.  So we have fewer sources, but those sources scan/attack far more frequently then ever before, to the point where certainly you would think the owners of these systems would notice a definite performance degradation of their systems.

The system used in this comparison is home network connected using a high speed cable connection and does not run any web services or P2P applications so it can be considered typical of any residential connection.  The logging system has been run 7x24 for over a year and uses a ZyXEL ZyWall 10W Firewall which sends its logging information to our Link Logger product.  The Link Logger database contains about 4.5 Million events logged over about 14 months, of which 2,627,170 are unsolicited inbound events (scans and attacks), so about 60% of all logged events of all traffic logged which includes both inbound and outbound traffic, are inbound scans and attacks.


Scans and Attacks 2004


Scans and Attacks 2005


Port 445 scans typically are always the leading attack port as it can be used for connecting to vulnerable file shares or buffer overflow attacks.  The number of scans to this port went up by almost 310% when comparing February 2005 to February 2004.  In 2005 however the second most scanned port is 135 which contains a buffer overflow type exploit, whereas in 2004 port 137 was the second most scanned port as it is used to find systems which have possible vulnerable file shares.  Port 80 scans were number 3 in February 2004, but are not even in the top 20 for February 2005.


Scan/Attack Rates 2004

We see the effects of the MyDoom outbreak with its subsequential follow up worms which exploited MyDoom's back door on port 3127 as well as the outbreak of Welchia, and other worms on 445.

Scan/Attack Rates 2005


2004 Leading Ports Scanned/Attacked


2005 Leading Ports Scanned/Attacked


2004 Leading Port Scanner Rate


2004 Leading Port Scanner Rate

While we see fewer unique IP addresses scanning over the month, we see more unique systems scanning per hour in February 2005, which indicates that these systems cycle through their generated IP ranges much quicker then they did before.


Looking into where the scans and attacks come from for 445 scans is interesting and perhaps if you are an ISP is very interesting.

80% of all inbound port 445 scans came from my local netblock 68.*.*.*


Drilling in further of these scans, almost 98% were from 68.144.*.* (again my local netblock)


And continuing to drill in we see that most of the worms that generate my inbound 445 traffic tend to focus on only changing the last two numbers of an IP Address.


Over the last year we have seen for the first time sustained reduction in the number of monthly attacks and attackers as shown below in a chart showing the number of scans/attacks and number of unique sources per month over the last year.


Page last updated on November 26, 2006