excerpted from http://fourmilab.ch/documents/netslum/
What comes down that pipe into your house from the outside world? Here's a snapshot, taken on March 31st, 2004, a completely typical day in all regards. The Web site racked up 682,516 hits in 56,412 visits from 44,776 distinct sites (IP addresses), delivering 14.8 gigabytes of content. That's, of course, not counting the traffic generated by the Distributed Denial of Service Attack underway since late January 2004. Whoever is responsible for this attack bombarded the site with a total of 1,473,602 HTTP request packets originating from 1951 hosts all around the world. These packets were blocked by the Gardol attack detector and packet blocker I spent much of February developing instead of doing productive work. Well, the attack this day was only half as intense as during the first wave in January. Entirely apart from this recent denial of service attack is the routine attack against Earth and Moon Viewer in which robots attempt to overload the server and/or outbound bandwidth by making repeated requests for large custom images. This attack has been underway for several years despite its impact having been entirely mitigated by countermeasures installed in October 2001; still they keep trying. This day a total of 3700 of these attacks originating from 342 distinct hosts were detected and blocked.
Moving from the Web to that other Internet mainstay, E-mail, let's take a peek at the traffic on good old port 25. This day I received 8 E-mail messages from friends and colleagues around the globe. Isn't E-mail great? But that's not all that arrived that day. . . . First of all, we have the 629 messages which were blocked as originating at IP addresses known to be open SMTP relays which permit mass junk mailers to forge the origin of their garbage. Open relays, whether due to misconfiguration or operated as a matter of principle by self-described civil libertarians, are the E-mail equivalent of leaving a live hand grenade in an elementary school playground. A peek at the sendmail log shows a total of 6,444 "dictionary spams" attempted that day. These are hosts which connect to your mail server and try names from huge lists of names culled from directories used by spammers in the hope of hitting a valid address which can be sent spam and then re-sold to other spammers. A total of 275 E-mail messages made it past these filters into the hands of sendmail for delivery, being addressed to a valid user name in my domain, usually the E-mail address which I take care not to publish on any of my Web pages. Of these, a total of 259 were correctly identified as spam by Annoyance Filter, the adaptive Bayesian junk mail filter I spent two months developing in 2002 instead of doing productive work. A total of 8 junk mail messages were "false negatives" --misclassified as legitimate mail by Annoyance Filter (in all likelihood because I hadn't recently re-trained the filter with a collection of contemporary spam) and made it to my mailbox. This day's collection of junk mail included a total of 74 attempts to corrupt my computer with destructive worm software, thereby to enlist it in further propagating the corruption. Since the machine on which I read mail uses none of the vulnerable Microsoft products these programs exploit, they pose no risk to me, but consider how many people with computers which are at risk without the filtering tools and the more than 35 years of computing experience I bring to the arena withstand this daily assault. This day there wasn't a single criminal fraud attempt to obtain my credit card number or other financial identity information; this was a light day; usually there's one or two. Absent the open relay block list and Annoyance Filter, I would be forced to sort through a total of 896 pieces of junk mail to read the 8 messages I wish to receive. Isn't E-mail great?
Ever since 1996, when a dysfunctional superannuated adolescent exploited a vulnerability in the ancient version of Solaris I then ran on my Web server to break into the server and corrupt my Web site, I've kept the local network here at Fourmilab behind a firewall configured with all the (abundant) paranoia I can summon. A firewall not only protects one against the barbarians, but monitoring its log lets you know which tommyknockers are knocking, knocking at your door and what keys they're trying in the lock. One doesn't bother logging the boring, repetitive stuff, but it's wise to keep an eye peeled for new, innovative attacks. On this day, the firewall log recorded a total of 1915 packets dropped--the vast majority attempts to exploit well-known vulnerabilities in Microsoft products by automated "attack robots" operated by people who have nothing better to do with their lives. That's about one every 45 seconds.