Whenever I hear a question like this, I think of the weekly I2 netflow reports http://netflow.internet2.edu/weekly/ http://netflow.internet2.edu/weekly/20040426/ Look at Table's 6, 7 and 8 - email, for example, is 1/2 %, so even if all email is spam, it's not that big a flow. Unidentified is typically about 30%, but most of that is probably file sharing. My opinion, from looking at these tables, is that probably little is junk, at least in the eye's of the receiver. Regards Marshall Eubanks On Wed, 05 May 2004 13:17:45 -0700 "William B. Norton" <wbn@equinix.com> wrote:
At 12:55 PM 5/5/2004, Steve Gibbard wrote:
If a few of you can stop being so pedantic for a second, the definition looks pretty easy to me: traffic unlikely to be wanted by the recipient. Presumably, if it's being sent that means somebody wanted to send it, so the senders' desires are a pretty meaningless metric.
Thanks Steve - good point. I have to believe that some of those that have solutions to some of these problems have made *some* measures so they can quantify the value of their solution.
The harder pieces are going to be defining what traffic is unwanted in a way that scales to large-scale measurement. Worm traffic is presumably measurable with Netflow, as are various protocol-types used mainly in DOS attacks. Spam is harder to pinpoint by watching raw traffic, but perhaps comparing the total volume of TCP/25 traffic to the SpamAssassain hit rates at some representative sample of mail servers could provide some reasonable numbers there.
Yea, we can't get absolute #'s, but I think it would be helpful to have a defensible approximation.
So, any of you security types have a list of the protocols that are more likely to be attack traffic than legitimate?
Or maybe those in the Research Community that have been doing traffic capture and analysis?
-Steve
On Wed, 5 May 2004, Mike Damm wrote:
Very very very near to, but not quite 100%. Since almost all of the traffic on the Internet isn't sourced by or destined for me, I consider it junk.
Also remember that to a packet kid, that insane flood of packets destined for his target is the most important traffic in the world. And to a
spammer,
the very mailings that are making him millions are more important than pictures of someone's grandkids.
I guess my point is junk is a very relative term. A study would need to first be done to identify what junk actually is, then measuring it is trivial.
-Mike
-----Original Message----- From: William B. Norton [mailto:wbn@equinix.com] Sent: Wednesday, May 05, 2004 11:21 AM To: nanog@merit.edu Subject: What percentage of the Internet Traffic is junk?
With all the spam, infected e-mails, DOS attacks, ultimately blackholed traffic, etc. I wonder if there has been a study that quantifies
What percentage of the Internet traffic is junk?
Bill