[Dshield] Analysis of Port 113 (ident) trend

David Kennedy CISSP david.kennedy at acm.org
Fri Jan 9 01:23:42 GMT 2004


At 06:22 AM 1/8/04 -0800, Pete Cap wrote:
>The seasonal length is appears to consist of 4 or 5 days of elevated
>activity, apparently dropping off for a day or two, and then
>elevated again for another 4 or 5 days.  There is a general upward
>trend as well--it would be interesting to see if there is an annual
>seasonal effect as well.  

Hmmm...kind of like a work week in western countries?  There are
several ports that exhibit this cycle, the 130's come to mind. 
Tue-Thur are up and Sat and Sun are down with Monday and Friday
showing transitions.  It may reflect a bias in the data resulting
from the locations of the sources.  The instructions on the web site
are to automate submissions and many leave their systems up and
submit through the weekend, but not all do.  While DShield/ISC is not
deliberately North American and Western Europe-centric I very much
doubt the data sources are representative of the whole Internet. 
Something to think about:  if *all* the data is cyclic, what does
this mean for 53, 80, 1433 etc?

Set percent=Y in the URL to see the graph smooth out some of these
cycles. (I realize not having all of the data, this doesn't help your
statistical analysis, but it helps demonstrate the weekends.)

Most of the 113 I've seen on the wire is related to IRC and POP, lots
of it is legitimate and some of it isn't.  The volume may be
influenced by the "bot du jour" in use among the botherds and whether
they want to use IRC nets like Dalnet or private IRC servers which
may or may not check back on 113.  Then there's some portion of 113
that actually is part of a port or host scan where 113 may yield the
only response showing a given IP has something there.

My point is don't loose sight of the "big picture" when you're
heads-down on statistical analysis.  A cycle may have a simple
explanation, and keep in mind the reason behind any activity on a
given port.

Version: PGP 7.0
Comment: Hacker=Cybercriminal The definition changed get over it.


David Kennedy CISSP                       \ / ASCII Ribbon Campaign
Protect what you connect;                  X  Against HTML Mail
Look both ways before crossing the Net.   / \

More information about the list mailing list