[Dshield] Port 23 activity spike

Johannes B. Ullrich jullrich at sans.org
Tue Jan 6 22:07:57 GMT 2004


btw: to look at a bit of statistical trends analysis, see
http://isc.sans.org/trends.html

But maybe its time to write this up on a proper web page. But here my
quick guide to read our port graphs. 

Lets all pull up 
http://www.dshield.org/port_report.php?port=23

You will see a graph, and likely only two lines in this example. A blue
and a green line, that more or less match up.

The legend on the right indicates that there may be a red graph
("sources"), but we don't see it.

The reason we don't see it becomes obvious as you look at the table
below. It lists the actual numeric values.

There are only very few sources. The graph, by default, shows targets
and sources on the same scale. We can change that.

To the right of the graph, you will see radio buttons. Move 'targets'
to Axis 1 by clicking the radio button between 'Targets' and 'Axis 1'

You will see this:
http://www.dshield.org/port_report.php?port=23&tarax=1

Green and Blue line (targets/reports) still follow each other.
The increase around the 27th. however, the number of sources stays the
same.

So per source, we got all for sudden more scans. What we need now is the
distribution of sources. This isn't something easily pulled from the
side (maybe something I should add). Here are the top 10 port 23
scanners for the last few days:

+------------+-----------------+-------+
| date       | source          | c     |
+------------+-----------------+-------+
| 2004-01-05 | 211.167.139.084 | 93712 |
| 2004-01-05 | 220.117.155.039 |  2456 |
| 2004-01-05 | 148.235.013.243 |  1956 |
| 2004-01-05 | 210.133.097.020 |  1193 |
| 2004-01-05 | 212.177.056.133 |  1182 |
| 2004-01-05 | 004.023.226.085 |   391 |
| 2004-01-05 | 211.147.022.098 |   329 |
| 2004-01-05 | 080.143.090.119 |   312 |
| 2004-01-05 | 195.007.172.233 |   202 |
| 2004-01-05 | 209.173.229.138 |   195 |
+------------+-----------------+-------+
+------------+-----------------+--------+
| date       | source          | c      |
+------------+-----------------+--------+
| 2004-01-04 | 220.090.252.036 | 101266 |
| 2004-01-04 | 195.061.075.183 |   5650 |
| 2004-01-04 | 082.166.087.042 |   4540 |
| 2004-01-04 | 068.120.083.218 |   3622 |
| 2004-01-04 | 211.147.022.098 |   1443 |
| 2004-01-04 | 211.167.139.084 |    513 |
| 2004-01-04 | 200.176.052.106 |    511 |
| 2004-01-04 | 211.092.109.072 |    491 |
| 2004-01-04 | 220.117.155.039 |    432 |
| 2004-01-04 | 211.023.216.010 |    291 |
+------------+-----------------+--------+

+------------+-----------------+-------+
| date       | source          | c     |
+------------+-----------------+-------+
| 2004-01-03 | 219.144.200.210 | 12172 |
| 2004-01-03 | 211.167.000.050 | 11738 |
| 2004-01-03 | 211.147.022.098 |  2443 |
| 2004-01-03 | 211.092.109.072 |  1290 |
| 2004-01-03 | 068.062.074.019 |  1244 |
| 2004-01-03 | 220.090.252.036 |  1189 |
| 2004-01-03 | 211.167.139.084 |  1162 |
| 2004-01-03 | 210.022.202.077 |  1113 |
| 2004-01-03 | 213.176.065.067 |   994 |
| 2004-01-03 | 211.114.192.041 |   677 |
+------------+-----------------+-------+


So interestingly, the increse in scans can be attributed to one
source, but its a different source each day.

Next, lets see how this compares to different submitters

top ten submitters for port 23 (each row one submitter)
+------------+-------+
| date       | c     |
+------------+-------+
| 2004-01-05 | 92685 |
| 2004-01-05 |  1804 |
| 2004-01-05 |  1784 |
| 2004-01-05 |  1153 |
| 2004-01-05 |   912 |
| 2004-01-05 |   811 |
| 2004-01-05 |   774 |
| 2004-01-05 |   458 |
| 2004-01-05 |   398 |
| 2004-01-05 |   388 |


+------------+--------+
| date       | c      |
+------------+--------+
| 2004-01-04 | 101245 |
| 2004-01-04 |  13869 |
| 2004-01-04 |   1161 |
| 2004-01-04 |    775 |
| 2004-01-04 |    608 |
| 2004-01-04 |    418 |
| 2004-01-04 |    284 |
| 2004-01-04 |    226 |
| 2004-01-04 |    214 |
| 2004-01-04 |    192 |
+------------+--------+
+------------+-------+
| date       | c     |
+------------+-------+
| 2004-01-03 | 23659 |
| 2004-01-03 |  2899 |
| 2004-01-03 |  2001 |
| 2004-01-03 |  1898 |
| 2004-01-03 |  1158 |
| 2004-01-03 |   640 |
| 2004-01-03 |   575 |
| 2004-01-03 |   466 |
| 2004-01-03 |   347 |
| 2004-01-03 |   302 |
+------------+-------+

So we got kind of a one-to-one relationship between the number of
reports send for port 23 by the largest submitter, compared to the 
most notorious target.

Next, lets just look at some reports for one of the sources:

For the target column, I am just showing the last byte.
The remaining three bytes where all the same...

This is ordered by time. You see how the scan essentially
'walks' the network. Sourceports increment with target ip.
Given the speed of the scan (I counted 10-20 packets / sec),
these are not in order.

Just one second worth of data:
 
+----------+-----------------+------------+--------+------------+
| time     | source          | sourceport | target | targetport |
+----------+-----------------+------------+--------+------------+
| 12:03:45 | 219.144.200.210 |      41946 | 011    |         23 |
| 12:03:45 | 219.144.200.210 |      41947 | 012    |         23 |
| 12:03:45 | 219.144.200.210 |      41948 | 013    |         23 |
| 12:03:45 | 219.144.200.210 |      41949 | 014    |         23 |
| 12:03:45 | 219.144.200.210 |      41950 | 015    |         23 |
| 12:03:45 | 219.144.200.210 |      41951 | 016    |         23 |
| 12:03:45 | 219.144.200.210 |      41954 | 019    |         23 |
| 12:03:45 | 219.144.200.210 |      41955 | 020    |         23 |
| 12:03:45 | 219.144.200.210 |      41960 | 025    |         23 |
| 12:03:45 | 219.144.200.210 |      41961 | 026    |         23 |
| 12:03:45 | 219.144.200.210 |      41962 | 027    |         23 |
| 12:03:45 | 219.144.200.210 |      41963 | 028    |         23 |
| 12:03:45 | 219.144.200.210 |      41964 | 029    |         23 |
| 12:03:45 | 219.144.200.210 |      41965 | 030    |         23 |
+----------+-----------------+------------+--------+------------+

I did see a Solaris mass-router recently which did use telnet
amount other vectors. Lets see what else these targets did

http://www.dshield.org/ipinfo.php?ip=219.144.200.210
  looks like mostly telnet with a little ftp

http://www.dshield.org/ipinfo.php?ip=211.167.139.084
   telnet only

I leave the remainder to you as an exercise.







-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040106/eaf0791f/attachment.bin


More information about the list mailing list