Could be botnets, zombies, malware, .etc. We're observing surges on port 80 & 443 as well. For those, the threshold needs to be a bit higher than non-web stuff because by chance, you'll get a certain percentage of people happening to go to MySpace, Google, CNN, .etc.
Also, if one were to send out an SSH worm, then SSH could be an ideal communication vector. The "common" way to control botnets seems to be IRC channels and AIM. Ron > I wonder, though, is this how real botnets are controlled? > > Surely it would be fair easier, and less obtrusive, to > control your botnet via a updated http site. like > http://<mikeiscool>/instructions.txt. Every day the bots > would log on and receive their latest orders. Makes sense > to hide in http rather then risk a protocol that might be > blocked, doesn't it? > > -- mic ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
