For a number of years, we have observed that NetFlow data collected at the border between an enterprise network and the outside world contains large numbers of ?ows from external addresses that reappear infrequently, if at all.
From February 2006 until March 2007, we monitored the border of a /22
(1024 addresses) with less than 100 active hosts at any time. During this period, nearly 13 million distinct outside addresses appeared on inbound tra?c. Of these over 6 million (49%) appeared as the source address on a single NetFlow and sources associated with 10 or fewer flows account for over 90% of the addresses seen. These sources represent about 20% of the total flows but only about 1% of the packets that make up the flows. A more detailed analysis of this data shows an interesting mix of connections, connection attempts and other phenomena. Some of these are clearly indications of malicious activity while others are questionable. The talk will describe the approach and the results that we have obtained to date.