Posted on behalf of Dan Bleaken, Senior Malware Data Analyst, Symantec Hosted Services
Your company’s internet link is precious. Not only is it expensive and limited but it is a vital business
tool. Yet recent MessageLabs Intelligence analysis shows that companies can lose around a quarter of their internet bandwidth to employee web misuse, streaming media and spam. Imagine if you had to give up a quarter of your office space for non-work activities; it’s inconceivable. But when it comes to internet bandwidth, most companies don’t even know about the loss, let alone take steps to prevent it.
The MessageLabs Hosted Web Security Service (WSS) blocks millions of web requests every day to protect users from accessing content that is either non-compliant with company policy, or malicious. In a typical week in 2010 the WSS performs about 107 million blocks (up from 90 million/week in 2009), on 5-10 million distinct URLs, for several thousand clients. That’s tens of thousands of blocks per client per week on average.
99.96% of blocked URLs are policy based. Of these, by far the greatest proportion is for advertising, mostly pop-up ads or auto-forwarding to ads. Also, the WSS blocks sites related to streaming media (e.g. video), online games, adult/sexually explicit material, violence, tasteless and offensive material, weapons, criminal Activity, gambling, illegal drugs and so on. Clients have full control over what they consider to be against company policy (for example a company whose business is betting/gambling would allow staff to view gambling sites as part of their job).
The remaining 0.04% of blocks is malicious (but that could still be many tenss of thousands of blocks in a week). The malicious blocks are tiny in proportion to all blocks but very important as they are of great risk to the client. Malicious websites are not a matter of policy and they do not fall under any particular category. In theory almost any website is capable of hosting malware or forwarding to a site that does. Sites can be set up and hosted by criminals, or legitimate websites can be compromised. More information about the state of malicious web threats can be found in our recent whitepaper ‘Web Threats 2010: The Risks Mount Up’: http://downloads.messagelabs.com/dotcom/Whitepaper_web_threats_2010_EMEA_UK_June10.pdf.
This blog is more concerned with policy-based blocks, blocks of content that a business considers a misuse of resources. In March 2010 Symantec Hosted Services released a whitepaper examining how spammers, criminals, hackers, time-wasters and employee misuse can impact an organisation’s bandwidth (‘Bandwidth Bandits’: http://downloads.messagelabs.com/dotcom/EMEA_UK_Bandwidth_Bandits_Apr10.pdf). We warned that events such as the World Cup may trigger internet brown-outs in companies that are unprepared.
Part of the problem is that the internet is designed to continue operating even if links are busy or
damaged; indeed that’s the whole point of it. This means that you probably don’t notice if your emails take longer to deliver, web pages take longer to load and internet phone and video conferences are lower quality. It all sort of works and you expect the occasional hiccup.
That doesn’t mean that bandwidth loss is irrelevant. In fact, there are serious consequences:
-
You buy more expensive connectivity than you need
-
Business-critical internet connections, such as remote users’ VPN (virtual private network)
-
Connections or business-related web use, are slower than they should be, wasting people’s time
-
In some circumstances, such as spam spikes or when everyone in the office is watching the same World Cup match, you may experience service outages or serious delays
-
Internet communications such as desktop video conferencing, VOIP (voice over IP or internet telephony) have lower quality
-
As internet-delivered applications and services become more widespread, important business functions such as customer relationship management will depend on a fast, high-quality internet connection
MessageLabs Intelligence tracked the number of blocks of streaming media (e.g. video) requests during the World Cup. We wanted to see if we could get a feel for how much demand for streaming media increased, as employees attempted to watch their favourite teams using their employer’s internet resources.
If an employee decides to stream a football match, or multiple employees stream matches, the amount of downloaded data could increase dramatically over and above the normal day-to-day level. Also, higher-resolution or HD video requires significantly more bandwidth than standard resolution. This extra demand could result in the organisation being charged for exceeding download limits, or in other (possibly critical) business systems suffering a big performance hit as a result.
Daily blocks of streaming media content by MessageLabs Hosted Web Security Service, April-June 2010. The red line marks the beginning of the World Cup in South Africa on 11 June.
The graph above shows how many blocks MessageLabs Hosted Web Security Service made in the ‘Streaming Media’ category daily between the beginning of April and the end of June 2010. Weekends can clearly be seen, most of our clients are businesses that don’t tend to make as many web requests at weekends.
Interestingly, during the World Cup we did see a significant increase in the number of blocked requests for streaming media content.
Comparing the 18 day period between the start of the World Cup and the end of June, with the 18 day period leading up to the start of the World Cup (so a simple before versus after), we made 8.3% more blocks of streaming media content after the World Cup started, than before. The average number of clients with at least one streaming media block remained steady, but the average number of blocks per client increased dramatically.
In particular, we saw a large increase in blocks on Wednesday 23 June, the date of England's crucial final group game against Slovenia – kicking off at 1500 UK time. It was also the date of crucial final group games USA v Algeria, kicking off at 10 am ET; Ghana v Germany, kicking off at 2030 German time; and Australia v Serbia, kicking off at 0230-0430 Australian time.
The crucial German and Australian matches were played outside of normal working hours. It’s unlikely these two matches would have had a major impact on the number of blocks of streaming media that we see, unless employees stayed in the office to watch the game, let’s face it - unlikely!
Summary of what matches were played on 23 Jun, when MessageLabs Intelligence saw a large increase in blocks of requests for streaming media content.
Blocks of requests for streaming media are commonplace and normally account for at least ten percent of blocks made. Everyday many requests for video content are made, some work related, some not. Also, streaming media doesn’t have to be video. Users may also try to stream audio content including music.
Before the World Cup started, we made an average of 1700 streaming media blocks per client on any given Wednesday. On Wednesday 23 Jun, when we saw crucial World Cup games for nations in which we have a significant number of clients, we made about 2500 streaming media blocks per client, an increase of 800 streaming media blocks per client above normal levels. It is reasonable to assume that this blip is almost entirely due to additional requests for video content relating to the World Cup.
So how much data is downloaded in order to view a complete football match? The average encoding bitrate (the number of bits that are conveyed or processed per unit of time,
http://en.wikipedia.org/wiki/Bit_rate,
http://en.wikipedia.org/wiki/Bit) for video streams is around 2000 kilobits per second (2 megabits per second). That means that a 90-minute football match would result in about 1.3 gigabytes of data being downloaded. For high definition video streams, the average encoding bitrate is around 3200Kbps (3.2 Mbps), which would equate to about 2.1 Gb of data. It varies greatly from source to source, for example the BBC iPlayer requires only 1500 Kbps (1.5 Mbps) on their higher quality video stream, but can provide content at rates such as 800 Kbps (0.8 Mbps), which would equate to just 0.5 Gb of data. Alternatively ITV Player requires at least 600 Kbps (0.6 Gbps), which equates to 0.4 Gb of data. Employees would typically try to stream football matches from a variety of different sources, but English football fans for example would have used BBC or ITV’s video players. Let’s say a 90-minute football match would result in 0.4-2.1 Gb of data downloaded.
We saw above that on average clients made 800 requests above normal levels on 23 June. If each of those requests resulted in a full 90-minute football match being streamed, that would be anything between 320-1680 Gb data over and above normal levels.
In reality, users would have made multiple attempts to access the streaming media content. For example, a given user may have a request for streaming media blocked, and immediately go and try one or more alternative sites. Or, a given user may have a request blocked and ask a colleague if they can get to that site. Also, not all users would have intended to stream a full 90 minutes of action, for example, a given user may hear that a game is in for a nail-biting finish and try to tune in for the final moments; or, dip in and out of the coverage during the match.
So imagine users made three attempts to access the content, and intended to watch ten minutes. Under those conditions that still equates to between 12-62 Gb of data over and above normal levels.
Therefore we estimate that on average, the MessageLabs Hosted Web Security Service may have protected each of our clients from, conservatively, 12-62 Gb of additional downloaded data relating to employees attempting to watch the World Cup.
For a in depth look at how spammers, criminals, hackers, time-wasters and employee misuse can impact an organisation’s bandwidth, see our whitepaper ‘Bandwidth Bandits’:
http://downloads.messagelabs.com/dotcom/EMEA_UK_Bandwidth_Bandits_Apr10.pdf.