[Dshield] Increase in scanning activity coincident with release of Novarg?

John Hardin johnh at aproposretail.com
Tue Jan 27 19:22:35 GMT 2004

On Tue, 2004-01-27 at 09:55, Pete Cap wrote:
> John,
> Correct me if I'm wrong but the worm's vector is
> mass-mailing...therefore as the number of infected host rises, the
> amount of viral dandruff floating around the GIG ought to spike as
> well.

The tarpit graph only represents invalid traffic - traffic to
nonexistent hosts or traffic to commonly-scanned ports that aren't
actually valid on existing hosts (e.g. we have no publicly exposed
MS-SQL servers). It wouldn't show email worm traffic unless the worm was
doing something like scanning randomly for SMTP servers, which doesn't
sound like reasonable worm behavior.

'course, it could be scanning for other vulnerabilities, hence my
bringing it up here.

> Good bit of traffic analysis there.

I haven't really done any analysis past noticing the graphs went up at
the same time... :)

For instance, I haven't compared the tarpitted IP address to IP
addresses from which we're getting attack messages to see whether there
is any correlation there.

> If I may respectfully suggest, had you noticed this right away, it
> would have given us a one-hour headstart on the worm (no fault
> implied).

I noticed the surge of new quarantined messages within about half an
hour of the first one (I don't check the graphs that often). Things had
been remarkably quiet for a couple of weeks. I checked Symantec's
website shortly after that and noticed a brand-new level 4 worm, and
discussion here had already started. I don't know how much notice I
could have given.

Also, the graphs are publicly available if anybody else wants to watch

I would have thought that everybody here already had some mechanism in
place to quarantine executable file attachments, which is a large
portion of the attack traffic (the .ZIP variants are a nasty twist that
we can probably expect to see more of). Our mail server's log of that
quarantine is what tipped me off to the worm.
> Do you suppose you might be able to set in place some kind of
> threshhold (e.g. "increase of x% over time period y") which would
> alert you (or anyone using a tarpit) that anomalous activity was
> occurring?

Hadn't thought of that, and there might be enough false alerts to hide a
real warning. If you look at the historical traffic (scroll down) you'll
see a lot of spikes where somebody thoroughly scans us for half an hour.

Can anyone recommend a way to do such an alert from MRTG's data files?

John Hardin  KA7OHZ                           
Internal Systems Administrator/Guru               voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
  Failure to plan ahead on someone else's part does not constitute an
  emergency on my part.
                                  - David W. Barts in a.s.r

More information about the list mailing list