[Dshield] Port 23 activity spike

Pete Cap peteoutside at yahoo.com
Tue Jan 6 21:09:31 GMT 2004


Hmm.
 
I wonder if it is possible to accomodate this sort of thing--
E.g. network one consists of 1000 hosts...
Network two consists of 100 hosts.
Both report their hostile scan rates to dShield.
To what extent can you compare two samples with radically different sizes?
...I haven't really looked into nonparametric tests yet (which is what I think would be required) but I seem to remember that it could be done with some confidence.
 
Pete

Tom Liston <tliston at premmag.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would agree with Johannes' earlier conclusion. The spikes appear to be 
a result of a scan running through the network of a large submitter. 
Therefore the numbers are skewed by the fact that the scanning simply hit 
a large, actively monitored network, i.e. a result of "reporting 
anomalies" (correctly spelled this time!).

- -TL

On 6 Jan 2004 at 12:30, Pete Cap wrote:

> Tom,
> 
> By "reporting anomalies" do you mean something like a sampling error, or
> what?
> 
> Pete
> 
> Tom Liston wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Bill,
> 
> In looking at the data (http://isc.sans.org/port_details.html?port=23) the
> most striking feature is that although there seems to be a lot of variance
> in the number of records and targets, the number of sources has stayed
> relatively constant (between 100 and 200).
> 
> My own data also shows that the scans that I'm seeing are coming from a
> small, constant number of hosts.
> 
> I would think that this would indicate "reporting anamolies"
> 
> - -TL
> 
> On 6 Jan 2004 at 9:25, Bill McCarty wrote:
> 
> > Hi Johannes and all,
> > 
> > --On Monday, December 29, 2003 6:26 AM -0500 "Johannes B. Ullrich" 
> > wrote:
> > 
> > >> I notice that recent DShield data show a spike in activity on port 23:
> > >> > >> x=2 &percent=N&days=40&Redraw=>.
> > >
> > > This spike looks like a scan hitting one of our large class B
> > > submitters. Telnet is a popular scanned service. I presume that
> > > all they are looking for it weak passwords.
> > 
> > I notice that the spike continues to grow. And, yesterday, I saw telnet
> > probes of my own Class C network. Moreover, a exploit tool targeting
> > Solaris 8 telnet servers (not a password brute forcer) has been recently
> > circulating among certain Undernet IRC users.
> > 
> > Does it continue to appear that the spike is primarily related to the
> > large class B submitter?
> > 
> > Cheers,
> > 
> > ---------------------------------------------------
> > Bill McCarty
> > 
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0 -- QDPGP 2.70 
> Comment: Public key - http://www.hackbusters.net/pgp.txt
> 
> iQA/AwUBP/r/D6Oq/X4cwCZKEQLaLwCgm/HOiKR+ox+sr7302FyGWbUY05cAnAr3
> p3PjK4TimKqxUVQ2yKdwVYf0
> =FEVK
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0 -- QDPGP 2.70 
Comment: Public key - http://www.hackbusters.net/pgp.txt

iQA/AwUBP/sgJaOq/X4cwCZKEQINAgCgpLUjOyRbLJlO455uRKKjGttew0UAnjnJ
ulJu6RdkL6Xz0rMPBrbs+cih
=SlMt
-----END PGP SIGNATURE-----

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

---------------------------------
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes


More information about the list mailing list