[Dshield] Analyzing DShield data for indications of possible problems?

Antti Tolamo Usenet at linux.tola.org
Mon Jul 1 03:02:23 GMT 2002


Viestissä Torstai 27. Kesäkuuta 2002 17:14, kirjoitit:

>
> We talked about the similarities between network scanning / probing
> and other process controls (like a chemical plant or a refinery).
> Specifically, if we could establish a baseline which represents the
> "normal" level of scanning activities, then we could let the
> computers analyze data as it was gathered, and look for
> "statistically significant" events - those which deviate from the
> norm enough that they indicate that something has changed.  After
> all, we know that Port 80 scanning activity will drop off around the
> 20th of the month, them pick back up around the first, as this is the
> default behavior for CR/Nimda.  So, a change in activity that matches
> that pattern is not something to worry about - unless the level of
> change is significantly different.  However, a brief burst of
> scanning on a previously quiet port (SNMP, anyone?) might indicate a
> recon, prior to unleashing a new worm (I remember seeing this pattern
> before SQLsnake showed up.)  Also, a change in the amount of activity
> from a specific geographical region/netblock might indicate
> preparations for a cyber-attack.  Such information might help ISS
> alert sysadmins to batten down the hatches, and might allow us the
> time to mitigate, if not eliminate, the damage such an attack could
> do.
>
> DShield.org has the data.  Does anyone else see value in approaching
> scans/probes/hacktivity from this perspective (process control)?  It
> seems to me to be a better approach than people asking "have you
> noticed...?".
>
> Cheers,
> Ed Truitt

I'm surprised this hasn't been already. It seems only logical.
Good idea, and certainly something I'd see worth of pursuing.
And support  too, if I can.

However, I do see potential problems intepreneting the results.
The 'normal' scanning activity would need careful analysis as would
the potential changes too. I see here some potential pitfalls concerning 
network applications, how firewalls are configured and how diffrent user base
is around net(home users or servers etc).  

What comes to me, I for example get huge loads netbios scans each
day. Somebody scanning me a lot? No, I connect through eDonkey,
which links me to many other clients who send me a netbios scans.
When I stop eDonkey, the netbios scans stop also. My guess is that
I connect through eDonkey to manyt badly configured home user computers.
who inadvertly send netbios scans when they upload/download from my server.

 
Looking Dhsield and other databases, I can clearly see pattern of scans
does not correspond what I spot. There can however lot of reasons to this,
and diving to results by some meanss would tell lot more why. It is anyway, 
far as I can figure, only way to figure something definite about scans
invidual users can relate to. Infact, it would make a _huge_ diffrence to 
understanding what actually is happening.

Cheers,

Antti




More information about the list mailing list