Businesses are under siege every second of every day, bombarded by a “grey noise” of potentially harmful web traffic seeking access to their networks. But IT staff often can’t tell the malicious traffic from the benign. Why?
If your office building were visited thousands of times a day by criminals peering through the windows seeking a way in, you’d be understandably nervous about hanging around.
Yet any organisation with an online presence gets exactly this type of unwelcome attention all the time.
Security researcher Andrew Morris calls this constant barrage “grey noise” and has started a company of the same name with a mission of logging, analysing and understanding it.
“This is the biggest, hardest, strangest problem I could find to study,” he tells the BBC.
He logs the break-in attempts using a network of so-called honey-pot computers scattered around the internet that he has set up. Outwardly these computers resemble run-of-the-mill servers and so attract the attention of the bots and cyber-thieves looking to break in.
And they attract a lot of attention.
In 2018, Mr Morris’s network was hit by up to four million attacks a day. His honey-pot computers process between 750 and 2,000 connection requests per second – the exact rate depends on how busy the bad guys are at any given moment.
His analysis shows that only a small percentage of the traffic is benign.
That fraction comes from search engines indexing websites or organisations such as the Internet Archive scraping sites. Some comes from security companies and other researchers.
The rest – 95% and more – is malicious.
It can come from self-propagating computer viruses, known as worms, that use a compromised computer to seek out fresh victims, or can be cyber-criminals looking for servers vulnerable to particular security loopholes.
It can also be dumb devices, from printers to routers, that have been hijacked looking for their kin to enrol them in a vast attack network.
“There’s an absolutely massive amount of traffic that’s being generated by all these hosts around the internet and the vast majority is not generated by good guys,” says Mr Morris.
“I see tens of thousands of infections every day.”
But blocking this tidal wave of troublesome traffic isn’t easy. This is because, at first glance, it looks benign.
Whenever you access a website your computer first pings a message to it to find out whether it’s live. This a standard “handshake” procedure that all legitimate traffic uses.
But cyber-thieves have found that if they handshake in the right way they can find out useful information about a target organisation and potentially find a way to get inside.
And it’s only when anyone takes the time to trace the origin of this traffic that it becomes obvious it is malicious.
“There is a continuous background hum of connections made to systems to see what they are and what they do,” says Martin Lee, outreach manager for Cisco’s Talos security team in Europe.
“It’s the constant noise of connections just like people rattling door handles and checking locks.”
Put an unprotected computer on the net and it’ll be infected by malware in seconds and possibly enslaved in a botnet army carrying out attacks on other targets.
“Someone is always trying to hack you,” says Mr Lee. “It’s one of the banal facts of the internet.”
Given that investigating and blocking is a Herculean task no network administrator wants to take on, the constant rattle is largely ignored, says Dr Paul Vixie, chief executive of Farsight Security and author of some of the net’s core addressing software.
“On the internet, nothing that can be abused will not be,” he says.
Wading through that vast amount of information makes it very hard for any net administrator to pick out the attacks that matter from the background roar. Instead, they just log it and move on.
“People do not go into network administration because they like truth and beauty,” says Dr Vixie ruefully.
So Andrew Morris is trying to extract some useful insights from his vast corpus of data, using it to profile bad sources of traffic and spotting patterns in attempted infections. Ultimately it might be used to make a filter that can block the bad stuff. Or one that highlights the really nasty stuff that network administrators do need to notice.
He now has a good idea of the dodgiest online neighbourhoods, which seem to be Brazilian and Vietnamese internet service providers (ISPs) who are doing a poor job of protecting their customers. This negligence is allowing the bad guys to get a toehold inside vulnerable machines.
These are followed by the cloud-hosting companies. All are strong sources of grey noise, says Mr Morris.
Good neighbourhoods are few and far between, though they do exist.
One of the most decent is Finland. It has worked hard to ensure that its corner of the net cannot be used as a proxy for attacks. Many cyber-thieves try to cover their tracks by spoofing the origin of the malicious connection request.
Finland has put in place policies, which it polices diligently, to limit the abuse of its domains.
A spokesman for Finland’s cyber-security centre told the BBC that it has laws and statutes that require ISPs and domain registrars to try as much as possible to limit abuse. It also uses automatic tools that scan for malicious use of Finnish domains – those that end in .fi – and report when the abuse is happening.
“That is one success factor in making the Finnish internet one of the cleanest ones in the world in terms of malware,” he says.
Mr Morris’ analysis of the traffic coming from the bad neighbourhoods is already starting to reveal interesting and useful patterns.
The early signs of massive attacks can be seen long before they start to hit everyone. That has been true of several headline-grabbing events such as those that hit office printers and Google’s Chromecast.
“There’s a weaponisation time limit,” he says. “That’s useful to know for defenders to get their stuff patched before they get hit by the bad guys.
“That means defenders do have time to react – it’s not hopeless.”