[Dshield] Top 10 Report Distored?

Jon R. Kibler Jon.Kibler at aset.com
Tue Mar 15 14:15:04 GMT 2005


Hello,

I was just looking at the Top 10 Ports Report -- and it occurred to me that the report can be 
somewhat misleading. For example, port 20525 has a maximum of 17 targets, but accounts for 
about a couple of percent of daily traffic during a few days. Clearly, someone was being DDoSed. 
However, since there were so few targets, it is misleading to say that on the Internet as a 
whole, port 20525 is a port that is very likely to be attacked.

Perhaps a rule should be added to the Top 10 Ports report that if the number of targets is 
< 0.05% of the total targets reported, the data associated with that port should be discarded 
as an anomaly? (0.05% is just a WAG -- does anyone have any better suggestion that may be based 
on sound statistics?)

Oh well, just my $0.02 worth!

Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA





==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.





==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list