[Dshield] Analysis of Port 113 (ident) trend

Pete Cap peteoutside at yahoo.com
Thu Jan 8 14:22:15 GMT 2004


Ladies & Gents,
 
I saw this morning on ISC that Port 113 is trending upwards.
 
113 is a great port to look at because it has a very obvious cyclical structure with a short season.  Obsairve:
Past year of activity - http://isc.sans.org/port_details.html?port=113&repax=1&tarax=2&srcax=2&percent=N&days=365&Redraw=Submit+Query
Past 3 months - http://isc.sans.org/port_details.html?port=113&repax=1&tarax=2&srcax=2&percent=N&days=90&Redraw=Submit+Query\
 
The seasonal length is appears to consist of 4 or 5 days of elevated activity, apparently dropping off for a day or two, and then elevated again for another 4 or 5 days.  There is a general upward trend as well--it would be interesting to see if there is an annual seasonal effect as well.
 
The breakdown:
SOURCES:  Pretty much remains within the 95% confidence interval all the time, with a few isolated significant spikes, three of which fall in early December.
TARGETS:  Seems to follow a cycle as noted above.  The frequency of significant spikes has been increasing.  Nearly all of December consisted of significantly elevated traffic.
RECORDS:  Another cyclical effect.  Generally within the 95% CI but again, December consisted largely of elevated traffic.
 
Over the past week (since the New Year) traffic has remained elevated as well.
 
So, having established (assuming my methods are good) days with significant activity, it remains to attach to that datum some information.
 
Why would we see a significant rise in the number of targets and in the total amount of traffic so recently, with relatively little change in the number of sources (yes, it's fluctuating, but not changing significantly)?  Why does it appear to drop off on weekends?
 
Couple of notes:
* No new ident/113 vulnerabilities have been reported since '01.
 
* According to dShield, 
"identd is a simple service to authenticate remote users. It can query which user on a remote system attempts to establish a connection.
This service is clear text and no longer in wide use. However, many mail servers will still query it. Some IRC servers use it to verify the userid." (Johannes)
 
* There are also a coupe of (older) IRC-associated worms which utilize 113.
 
If anyone has any ideas, I'm interested!
 
As an aside, I realize that calculating confidence intervals is not the most robust analytical techique...I'm working on that.
 
Pete


---------------------------------
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes


More information about the list mailing list