[Dshield] DShield Database Incomplete? Also, port 12914 scans.

Jon R. Kibler Jon.Kibler at aset.com
Sat Oct 8 11:42:06 GMT 2005


Greetings:

I know that this is not the first time that I have posted on this topic... but, the problem seems to still be a problem.

It appears that the DShield database is not capturing all the records submitted. I submit log records hourly. The number of records I submit for a given day never seems to agree with our internal reports -- which have been verified against our DShield submissions. DShield always seems to only have a small fraction of our submittals.

For example, yesterday's DShield Report Summary:
> For 2005-10-07 you submitted 3360 packets from 793 sources hitting 39 targets.

 From our own internal reports:
> Analysis of router log intrusion statistics for: Oct  7
> Total log records:	      8793
> Total packets:	     13709
> 
> Unique sources:	      1719
> Unique destinations:	        42
> 
> 
> Packets by type:
> 	tcp	     11829
> 	icmp	      1615
> 	udp	       265
> 
> 	TOTAL	     13709

Needless to say, they don't even come close to agreeing!

What got me checking again were scans to the external interface of one of our routers for a small netblock. I was seeing scans on port 12914 and I had no idea what was up, so I went to DShield Port Report to check it out. For yesterday it showed:
>    Date    Sources	    Targets	     Records
> 2005-10-07 	15 		7		39

Well, that was fewer sources and records than I knew I had -- but for 7x the number of targets... so, obviously a problem! Here's what my logs show were submitted to DShield:
> $ router.count-port-sources 12914 'Oct  7'
> SOURCES FOR SCANS ON PORT 12914
>    9 61.172.245.247
>    8 221.212.109.202
>    7 202.103.178.130
>    6 202.103.178.212
>    3 222.188.127.29
>    2 60.190.127.82
>    2 222.191.251.104
>    2 220.232.130.219
>    2 218.22.154.37
>    1 61.188.39.37
>    1 222.217.221.85
>    1 222.174.66.237
>    1 221.231.121.33
>    1 221.231.109.80
>    1 219.128.2.230
>    1 202.103.213.138
>   16 Sources
>   48 Packets
> $ router.count-port-destinations 12914 'Oct  7'
> DESTINATIONS FOR SCANS ON PORT 12914
>   48 63.113.60.42
>    1 Targets
>   48 Packets


Even if the DShield database had not completely updated at the time the daily reports were run, checking prior days show similar discrepancies.

Questions:
	What is the problem?
	What is the fix?
	Does anyone have a clue what port 12914 scans are about?

Here are raw the data from yesterday:
> Oct  7 01:09:39 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> Oct  7 02:19:42 border6837 list 110 denied tcp 202.103.178.130(7000) -> 63.113.60.42(12914), 1 packet
> Oct  7 02:25:41 border6837 list 110 denied tcp 202.103.178.130(7000) -> 63.113.60.42(12914), 6 packets
> Oct  7 02:26:36 border6837 list 110 denied tcp 202.103.178.212(7000) -> 63.113.60.42(12914), 1 packet
> Oct  7 02:31:41 border6837 list 110 denied tcp 202.103.178.212(7000) -> 63.113.60.42(12914), 5 packets
> Oct  7 04:18:50 border6837 list 110 denied tcp 60.190.127.82(7000) -> 63.113.60.42(12914), 1 packet
> Oct  7 04:57:37 border6837 list 110 denied tcp 222.174.66.237(7000) -> 63.113.60.42(12914), 1 packet
> Oct  7 06:52:22 border6837 list 110 denied tcp 221.231.121.33(7000) -> 63.113.60.42(12914), 1 packet
> Oct  7 07:07:50 border6837 list 110 denied tcp 60.190.127.82(7000) -> 63.113.60.42(12914), 1 packet
> Oct  7 07:17:26 border6837 list 110 denied tcp 219.128.2.230(21) -> 63.113.60.42(12914), 1 packet
> Oct  7 07:24:12 border6837 list 110 denied tcp 221.212.109.202(7000) -> 63.113.60.42(12914), 1 packet
> Oct  7 07:29:50 border6837 list 110 denied tcp 221.212.109.202(7000) -> 63.113.60.42(12914), 7 packets
> Oct  7 07:47:01 border6837 list 110 denied tcp 218.22.154.37(7000) -> 63.113.60.42(12914), 1 packet
> Oct  7 07:52:51 border6837 list 110 denied tcp 218.22.154.37(7000) -> 63.113.60.42(12914), 1 packet
> Oct  7 08:07:10 border6837 list 110 denied tcp 61.188.39.37(7000) -> 63.113.60.42(12914), 1 packet
> Oct  7 09:25:27 border6837 list 110 denied tcp 221.231.109.80(7000) -> 63.113.60.42(12914), 1 packet
> Oct  7 10:01:02 border6837 list 110 denied tcp 222.188.127.29(7000) -> 63.113.60.42(12914), 1 packet
> Oct  7 10:06:54 border6837 list 110 denied tcp 222.188.127.29(7000) -> 63.113.60.42(12914), 2 packets
> Oct  7 10:46:05 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> Oct  7 10:51:56 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> Oct  7 11:03:18 border6837 list 110 denied tcp 222.191.251.104(80) -> 63.113.60.42(12914), 1 packet
> Oct  7 11:08:56 border6837 list 110 denied tcp 222.191.251.104(80) -> 63.113.60.42(12914), 1 packet
> Oct  7 11:20:41 border6837 list 110 denied tcp 220.232.130.219(80) -> 63.113.60.42(12914), 1 packet
> Oct  7 11:25:57 border6837 list 110 denied tcp 220.232.130.219(80) -> 63.113.60.42(12914), 1 packet
> Oct  7 15:02:48 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> Oct  7 15:08:03 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> Oct  7 16:01:14 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> Oct  7 16:07:05 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> Oct  7 18:51:02 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> Oct  7 18:56:09 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> Oct  7 22:24:26 border6837 list 110 denied tcp 202.103.213.138(7000) -> 63.113.60.42(12914), 1 packet
> Oct  7 23:56:37 border6837 list 110 denied tcp 222.217.221.85(7000) -> 63.113.60.42(12914), 1 packet

Note that source ports are 80, 7000, and 21. Given how few port 7000 scans are reported in DShield, this doesn't seem to be backscatter...

Any thoughts, comments, questions, answers to my questions, etc. appreciated!

Jon Kibler
--
Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA


More information about the list mailing list