Richard Hector wrote:
On Tue, 2008-08-05 at 11:45 +1200, Shane Alcock wrote:
Long story short, over 40% of observed customer addresses accepted at least one incoming TCP connection over the time period we looked (around 4 consecutive days, including a weekend). This ratio grows to be more than 60% when UDP is also considered, although the counts for UDP aren't as reliable. Most of the incoming connections are on either well-known p2p ports or high-number ports, suggesting a lot of customers doing some form of p2p.
Is there any way to tell how many of those were actually desired by the customer, as opposed to their boxes being remote controlled via bots etc?
Richard
We've made no real effort to try and distinguish whether the customer intended for that particular port to be open. I'm not sure that's something we can determine just by looking at TCP/IP packet headers but it is definitely something important to consider when thinking about SP-NAT. What we can do is look at the port numbers used for the incoming TCP connections - http://www.wand.net.nz/~spa1/someisp/flow_counting/incoming/server_ports_tcp... The four most popular ports are well-known ports for eDonkey, BitTorrent, HTTP and GNUtella, in that order, making up nearly 15% of all incoming TCP connections. These are very likely to have been opened by the customer themselves with the intention of using those services. On the other hand, ports like 139 and 5000 are probably being exploited without the customer's knowledge and SP-NAT preventing connections on those ports would not be harmful in the slightest. Everything else could be a customer using a peer2peer application or they could be a victim of something more malicious - we don't really have any reliable way of telling. Shane Alcock WAND Network Research Group University of Waikato