[Dshield] DShield Database Incomplete? Also, port 12914 scans.

Robert Nelson nelsrob at mts.net
Sat Oct 8 17:53:50 GMT 2005


Are you adjusting your logs to account for the time difference between your
time zone and UTC? I think DShield's records go by UTC. If I'm in error, I'm
sure I'll be corrected...

Robert

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Jon R. Kibler
Sent: October 8, 2005 6:42 AM
To: list at lists.dshield.org
Subject: [Dshield] DShield Database Incomplete? Also, port 12914 scans.


Greetings:

I know that this is not the first time that I have posted on this topic...
but, the problem seems to still be a problem.

It appears that the DShield database is not capturing all the records
submitted. I submit log records hourly. The number of records I submit for a
given day never seems to agree with our internal reports -- which have been
verified against our DShield submissions. DShield always seems to only have
a small fraction of our submittals.

For example, yesterday's DShield Report Summary:
> For 2005-10-07 you submitted 3360 packets from 793 sources hitting 39 
> targets.

 From our own internal reports:
> Analysis of router log intrusion statistics for: Oct  7
> Total log records:	      8793
> Total packets:	     13709
> 
> Unique sources:	      1719
> Unique destinations:	        42
> 
> 
> Packets by type:
> 	tcp	     11829
> 	icmp	      1615
> 	udp	       265
> 
> 	TOTAL	     13709

Needless to say, they don't even come close to agreeing!

What got me checking again were scans to the external interface of one of
our routers for a small netblock. I was seeing scans on port 12914 and I had
no idea what was up, so I went to DShield Port Report to check it out. For
yesterday it showed:
>    Date    Sources	    Targets	     Records
> 2005-10-07 	15 		7		39

Well, that was fewer sources and records than I knew I had -- but for 7x the
number of targets... so, obviously a problem! Here's what my logs show were
submitted to DShield:
> $ router.count-port-sources 12914 'Oct  7'
> SOURCES FOR SCANS ON PORT 12914
>    9 61.172.245.247
>    8 221.212.109.202
>    7 202.103.178.130
>    6 202.103.178.212
>    3 222.188.127.29
>    2 60.190.127.82
>    2 222.191.251.104
>    2 220.232.130.219
>    2 218.22.154.37
>    1 61.188.39.37
>    1 222.217.221.85
>    1 222.174.66.237
>    1 221.231.121.33
>    1 221.231.109.80
>    1 219.128.2.230
>    1 202.103.213.138
>   16 Sources
>   48 Packets
> $ router.count-port-destinations 12914 'Oct  7'
> DESTINATIONS FOR SCANS ON PORT 12914
>   48 63.113.60.42
>    1 Targets
>   48 Packets


Even if the DShield database had not completely updated at the time the
daily reports were run, checking prior days show similar discrepancies.

Questions:
	What is the problem?
	What is the fix?
	Does anyone have a clue what port 12914 scans are about?

Here are raw the data from yesterday:
> Oct  7 01:09:39 border6837 list 110 denied tcp 61.172.245.247(80) -> 
> 63.113.60.42(12914), 1 packet Oct  7 02:19:42 border6837 list 110 
> denied tcp 202.103.178.130(7000) -> 63.113.60.42(12914), 1 packet Oct  
> 7 02:25:41 border6837 list 110 denied tcp 202.103.178.130(7000) -> 
> 63.113.60.42(12914), 6 packets Oct  7 02:26:36 border6837 list 110 
> denied tcp 202.103.178.212(7000) -> 63.113.60.42(12914), 1 packet Oct  
> 7 02:31:41 border6837 list 110 denied tcp 202.103.178.212(7000) -> 
> 63.113.60.42(12914), 5 packets Oct  7 04:18:50 border6837 list 110 
> denied tcp 60.190.127.82(7000) -> 63.113.60.42(12914), 1 packet Oct  7 
> 04:57:37 border6837 list 110 denied tcp 222.174.66.237(7000) -> 
> 63.113.60.42(12914), 1 packet Oct  7 06:52:22 border6837 list 110 
> denied tcp 221.231.121.33(7000) -> 63.113.60.42(12914), 1 packet Oct  
> 7 07:07:50 border6837 list 110 denied tcp 60.190.127.82(7000) -> 
> 63.113.60.42(12914), 1 packet Oct  7 07:17:26 border6837 list 110 
> denied tcp 219.128.2.230(21) -> 63.113.60.42(12914), 1 packet Oct  7 
> 07:24:12 border6837 list 110 denied tcp 221.212.109.202(7000) -> 
> 63.113.60.42(12914), 1 packet Oct  7 07:29:50 border6837 list 110 
> denied tcp 221.212.109.202(7000) -> 63.113.60.42(12914), 7 packets Oct  
> 7 07:47:01 border6837 list 110 denied tcp 218.22.154.37(7000) -> 
> 63.113.60.42(12914), 1 packet Oct  7 07:52:51 border6837 list 110 
> denied tcp 218.22.154.37(7000) -> 63.113.60.42(12914), 1 packet Oct  7 
> 08:07:10 border6837 list 110 denied tcp 61.188.39.37(7000) -> 
> 63.113.60.42(12914), 1 packet Oct  7 09:25:27 border6837 list 110 
> denied tcp 221.231.109.80(7000) -> 63.113.60.42(12914), 1 packet Oct  
> 7 10:01:02 border6837 list 110 denied tcp 222.188.127.29(7000) -> 
> 63.113.60.42(12914), 1 packet Oct  7 10:06:54 border6837 list 110 
> denied tcp 222.188.127.29(7000) -> 63.113.60.42(12914), 2 packets Oct  
> 7 10:46:05 border6837 list 110 denied tcp 61.172.245.247(80) -> 
> 63.113.60.42(12914), 1 packet Oct  7 10:51:56 border6837 list 110 
> denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet Oct  7 
> 11:03:18 border6837 list 110 denied tcp 222.191.251.104(80) -> 
> 63.113.60.42(12914), 1 packet Oct  7 11:08:56 border6837 list 110 
> denied tcp 222.191.251.104(80) -> 63.113.60.42(12914), 1 packet Oct  7 
> 11:20:41 border6837 list 110 denied tcp 220.232.130.219(80) -> 
> 63.113.60.42(12914), 1 packet Oct  7 11:25:57 border6837 list 110 
> denied tcp 220.232.130.219(80) -> 63.113.60.42(12914), 1 packet Oct  7 
> 15:02:48 border6837 list 110 denied tcp 61.172.245.247(80) -> 
> 63.113.60.42(12914), 1 packet Oct  7 15:08:03 border6837 list 110 
> denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet Oct  7 
> 16:01:14 border6837 list 110 denied tcp 61.172.245.247(80) -> 
> 63.113.60.42(12914), 1 packet Oct  7 16:07:05 border6837 list 110 
> denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet Oct  7 
> 18:51:02 border6837 list 110 denied tcp 61.172.245.247(80) -> 
> 63.113.60.42(12914), 1 packet Oct  7 18:56:09 border6837 list 110 
> denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet Oct  7 
> 22:24:26 border6837 list 110 denied tcp 202.103.213.138(7000) -> 
> 63.113.60.42(12914), 1 packet Oct  7 23:56:37 border6837 list 110 
> denied tcp 222.217.221.85(7000) -> 63.113.60.42(12914), 1 packet

Note that source ports are 80, 7000, and 21. Given how few port 7000 scans
are reported in DShield, this doesn't seem to be backscatter...

Any thoughts, comments, questions, answers to my questions, etc.
appreciated!

Jon Kibler
--
Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA
_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list