What percentage of the Internet Traffic is junk?

Wed May 5 21:21:27 UTC 2004

At 01:56 PM 5/5/2004, Marshall Eubanks wrote:
>Look at Table's 6, 7 and 8 - email, for example, is 1/2 %, so even if all 
>email
>is spam, it's not that  big a flow. Unidentified is typically about 30%, but
>most of that is probably file sharing.

Thanks Marshall - a few others have said (paraphrasing): On average we have 
seen about 30% by packets (but only 10% by bandwidth) are junk, with higher 
%'s during major attacks and worm infestations.

For those who say things like "can't define 'junk' precisely", I would 
agree, but I think we also can agree that we all have a general idea of 
what junk is. Just looking for round #'s really. It isn't 0%, and it isn't 
90% (although it seems that way sometimes).

I would also agree that it would be valuable for the community to track 
this # over time. You can't manage it if you can't measure it.

Bill

>My opinion, from looking at these tables, is that probably little is junk, 
>at least
>in the eye's of the receiver.
>
>Regards
>Marshall Eubanks
>
>
>On Wed, 05 May 2004 13:17:45 -0700
>  "William B. Norton" <wbn at equinix.com> wrote:
> >
> > At 12:55 PM 5/5/2004, Steve Gibbard wrote:
> >
> > >If a few of you can stop being so pedantic for a second, the definition
> > >looks pretty easy to me: traffic unlikely to be wanted by the recipient.
> > >Presumably, if it's being sent that means somebody wanted to send it, so
> > >the senders' desires are a pretty meaningless metric.
> >
> > Thanks Steve - good point. I have to believe that some of those that have
> > solutions to some of these problems have made *some* measures so they can
> > quantify the value of their solution.
> >
> >
> > >The harder pieces are going to be defining what traffic is unwanted in a
> > >way that scales to large-scale measurement.  Worm traffic is presumably
> > >measurable with Netflow, as are various protocol-types used mainly in DOS
> > >attacks.  Spam is harder to pinpoint by watching raw traffic, but perhaps
> > >comparing the total volume of TCP/25 traffic to the SpamAssassain hit
> > >rates at some representative sample of mail servers could provide some
> > >reasonable numbers there.
> >
> > Yea, we can't get absolute #'s, but I think it would be helpful to have a
> > defensible approximation.
> >
> >
> > >So, any of you security types have a list of the protocols that are more
> > >likely to be attack traffic than legitimate?
> >
> > Or maybe those in the Research Community that have been doing traffic
> > capture and analysis?
> >
> >
> > >-Steve
> > >
> > >On Wed, 5 May 2004, Mike Damm wrote:
> > >
> > > >
> > > >
> > > > Very very very near to, but not quite 100%. Since almost all of the 
> traffic
> > > > on the Internet isn't sourced by or destined for me, I consider it 
> junk.
> > > >
> > > > Also remember that to a packet kid, that insane flood of packets 
> destined
> > > > for his target is the most important traffic in the world. And to a
> > > spammer,
> > > > the very mailings that are making him millions are more important than
> > > > pictures of someone's grandkids.
> > > >
> > > > I guess my point is junk is a very relative term. A study would need to
> > > > first be done to identify what junk actually is, then measuring it is
> > > > trivial.
> > > >
> > > >   -Mike
> > > >
> > > > -----Original Message-----
> > > > From: William B. Norton [mailto:wbn at equinix.com]
> > > > Sent: Wednesday, May 05, 2004 11:21 AM
> > > > To: nanog at merit.edu
> > > > Subject: What percentage of the Internet Traffic is junk?
> > > >
> > > >
> > > > With all the spam, infected e-mails, DOS attacks, ultimately blackholed
> > > > traffic, etc. I wonder if there has been a study that quantifies
> > > >
> > > > What percentage of the Internet traffic is junk?
> > > >
> > > > Bill
> > > >
> >