We received a couple of inquiries about an alleged 40,000 domain attack reported by Websense. The attacks were dubbed "Nine-ball", presumably because one of the malware hosts is named "ninetoraq.in". Get it? Nine-to-rack, i.e. nine-ball pool.

Naturally we were a bit surprised that such an allegedly massive attack could bypass our sentries. After we did take a look, it became apparent why this one didn't trip our alert sensors - this attack is almost non-existent and might be more aptly named "scratch ball". This isn't to say our customers weren't protected - they were and still are. It is, however, such a low number attack that it's not the type of thing we'd normally spend our time investigating.

To put this alleged "Mass Injection" into its proper context, here are the actual raw traffic numbers from June 15th onward:

Total number of requests to sites involved in the attacks: 333
Total compromised websites observed: 62

These are the totals based on actual traffic requests involving all of the following malware hosts:

rnw.kz
bro.tw
rmi.tw
ninetoraq.in

Besides just the numbers, another metric we consider is the quality/popularity of the compromised sites acting as conduits for the malware. Based on that metric and some other measurements we take, we can pretty accurately judge whether a particular attack will take off. In this case, with the exception of skyscrapercity.com (a top 10,000 domain according to Alexa), the remaining 61 observed domains all had extremely low or non-existent Alexa traffic ratings. For example, sites like diamond-limousine.com which has an Alexa ranking of 10,658,149.

Certainly ScanSafe is unique in its realtime scanning, the amount of traffic handled, and its ability to report about what's actually happening to Web surfers. Just in the past week, ScanSafe processed over 10 billion Web requests. I suppose when you see that much traffic, from thousands of customer companies in over 90 countries on 4 different continents, your perspective changes. Our view is also shaped by the fact that we see well over a thousand unique Web attacks every month - some that are big like Gumblar and some that are very small like "nine-ball". And from our unique perspective, 333 requests involving 62 compromised websites is certainly not something we would brand a "massive injection".

I personally question whether it was even worth the time just spent blogging about it.