[Dshield] Analysis of Port 113 (ident) trend

David Kennedy CISSP david.kennedy at acm.org
Fri Jan 9 01:23:42 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----

At 06:22 AM 1/8/04 -0800, Pete Cap wrote:
>The seasonal length is appears to consist of 4 or 5 days of elevated
>activity, apparently dropping off for a day or two, and then
>elevated again for another 4 or 5 days.  There is a general upward
>trend as well--it would be interesting to see if there is an annual
>seasonal effect as well.  

Hmmm...kind of like a work week in western countries?  There are
several ports that exhibit this cycle, the 130's come to mind. 
Tue-Thur are up and Sat and Sun are down with Monday and Friday
showing transitions.  It may reflect a bias in the data resulting
from the locations of the sources.  The instructions on the web site
are to automate submissions and many leave their systems up and
submit through the weekend, but not all do.  While DShield/ISC is not
deliberately North American and Western Europe-centric I very much
doubt the data sources are representative of the whole Internet. 
Something to think about:  if *all* the data is cyclic, what does
this mean for 53, 80, 1433 etc?

Set percent=Y in the URL to see the graph smooth out some of these
cycles. (I realize not having all of the data, this doesn't help your
statistical analysis, but it helps demonstrate the weekends.)

Most of the 113 I've seen on the wire is related to IRC and POP, lots
of it is legitimate and some of it isn't.  The volume may be
influenced by the "bot du jour" in use among the botherds and whether
they want to use IRC nets like Dalnet or private IRC servers which
may or may not check back on 113.  Then there's some portion of 113
that actually is part of a port or host scan where 113 may yield the
only response showing a given IP has something there.

My point is don't loose sight of the "big picture" when you're
heads-down on statistical analysis.  A cycle may have a simple
explanation, and keep in mind the reason behind any activity on a
given port.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
Comment: Hacker=Cybercriminal The definition changed get over it.

iQCVAwUBP/4CnPGfiIQsciJtAQEfHwQA5u1aA6u5eXousxF1qBPNl3kH7TLlTMWY
EPGsYcTsKxOVLQ3PjXafFQZYFGkYvkaFW3Qns5DnBgePlgpzkTzQqPV5dVvfN63L
oemqDbtddlY9cJc8ASj+P9UPpi+Sa1mzcWDkr2MeUIrNcGA0fspPzuvnRCHsIWs3
lW3Iu+08CBM=
=hfMQ
-----END PGP SIGNATURE-----

-- 
Regards,
                                          /"\
David Kennedy CISSP                       \ / ASCII Ribbon Campaign
Protect what you connect;                  X  Against HTML Mail
Look both ways before crossing the Net.   / \




More information about the list mailing list