[Dshield] Analyzing DShield data for indications of possible problems?

Shannon Johnston sjohnston at cavion.com
Thu Jun 27 16:53:04 GMT 2002


I absolutely agree. 
The earlier the warning, the better.
Just let me know what I can do to help.

Shannon Johnston






On Thu, 2002-06-27 at 08:14, Ed Truitt wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Yesterday, my team lead (who is also a DShield.org list subscriber)
> and I were talking about something I thought I would pass along to
> serve as a discussion starter.  We both have read numerous instances
> of people asking if they have seen an increase in probing / scanning
> activity on this port or that, or from a certain netblock, country,
> or region, etc.  
> 
> We talked about the similarities between network scanning / probing
> and other process controls (like a chemical plant or a refinery). 
> Specifically, if we could establish a baseline which represents the
> "normal" level of scanning activities, then we could let the
> computers analyze data as it was gathered, and look for
> "statistically significant" events - those which deviate from the
> norm enough that they indicate that something has changed.  After
> all, we know that Port 80 scanning activity will drop off around the
> 20th of the month, them pick back up around the first, as this is the
> default behavior for CR/Nimda.  So, a change in activity that matches
> that pattern is not something to worry about - unless the level of
> change is significantly different.  However, a brief burst of
> scanning on a previously quiet port (SNMP, anyone?) might indicate a
> recon, prior to unleashing a new worm (I remember seeing this pattern
> before SQLsnake showed up.)  Also, a change in the amount of activity
> from a specific geographical region/netblock might indicate
> preparations for a cyber-attack.  Such information might help ISS
> alert sysadmins to batten down the hatches, and might allow us the
> time to mitigate, if not eliminate, the damage such an attack could
> do.
> 
> DShield.org has the data.  Does anyone else see value in approaching
> scans/probes/hacktivity from this perspective (process control)?  It
> seems to me to be a better approach than people asking "have you
> noticed...?".
> 
> Cheers,
> Ed Truitt
> PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
> http://www.etee2k.net
> http://www.bsatroop148.org
> 
> "Note to spammers:  my 'delete' key is connected to YOUR ISP. 
>  Also, if you send me UCE, I reserve the right to post your spew 
> on my Web site, with the appropriate color commentary, so that 
> others may have a good laugh at your expense." 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
> 
> iQA/AwUBPRsdttuunCUC+Qq5EQLjigCg1g4uSay1JNExz6zMSJfn5IfrT6QAoNJP
> 9vtZiXg+c7rLomNDAmq9MmrS
> =QDpM
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list