At 20:54 22-01-2009, Rich Kulawiec wrote:
But don't take my word for it: run the experiment yourself. Turn on
passive OS fingerprinting in your perimeter devices (or on your servers)
and correlate that data with:
- spam attempts
- ssh attempts
- ftp attempts
- pop/imap attempts
- port scans
- crafted packet attacks
- http-based exploit attempts
- DoS attacks
- etc.
After a year or two, I think you'll find is what I've found after running
this experiment in multiple environments of different sizes, characteristics,
purposes, etc.: the abuse problem is largely (in some cases, almost
exclusively) a Microsoft Windows problem. [1] And it's clear that
the correlation far exceeds the population percentage, either as-observed
or as-guesstimated. (Some of my sensors have gone for months without
detecting a non-Windows-originated ssh attempt, for instance.)
I'm commenting on the spam attempts only as I've been running an
experiment on that since several years. In general, most of the SMTP
sessions from Windows hosts are spam attempts. Passive OS
Fingerprinting in combination with other heuristics can be quite
effective in detecting spam attempts.
As a result, it's long since become part of my anti-spam and overall
security strategy to consider anything originating on a Windows system
as "suspect", at best, and to subject such traffic to (a) rate-limiting
(b) refusal (c) higher scrutiny and/or (d) modified services. I highly
recommend this approach for anybody with the facilities to use it:
the results are striking.
Such a strategy doesn't work well in some environments where there is
a higher proportion of valid messages from Windows-based mail
servers. Some people might need an exception list if they implement
the above methods.
Regards,
-sm
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg