• Services
• Computer Security
• Tasks
• Activities
• BICHOS

This page shows (for now) only the stats of the connections and worms detected in the backbone of RedIRIS AS766. All the traffic to port 445/TCP (Microsoft DS) was filtered in our external router preventing worms and bots propagation.

After some configuration changes the 445/TCP traffic was redirected to a special router , a Linux machine with it's IP tables configured to perform a reverse NAT accepting up to 200 TCP/SYN connections a minute. and running mwcollect to simulate a vulnerable windows system. Below there are some graphs that show the connections.

The application don't run fine with to much connections , the blue line show the accepted connections divided by 10 , so 20 is about 200 connections per minute.

Green Line show the "TCP/SYN" packets detected via IP tables in the system, surprisingly the number is similar to the accepted connections, but in a scale 1:1000), so approximately we are accepting 1% of the worms attacking our systems.

Red Line show the number of worms , bot, etc, downloaded by the application, the version of mwcollect is quite old and don't parse some of new attack vectors, but the number of worms is still quite good, about 6000 files downloaded every day, with about 11 to 20 new different specimens.

The typical rrdgraph graphs:

Daily

Weekly

Monthly

Yearly

We hope to have better statistics soon.