[Dshield] DShield Database Incomplete? Also, port 12914 scans.

Johannes B. Ullrich jullrich at euclidian.com
Sun Oct 9 12:48:04 GMT 2005


Try and turn on 'Feedback' (not Fightback) for your account. This should
provide you with an email for each submission summarizing it. Forward me
a copy of this email.

Ports should not matter. But we do not import ICMP. There are a couple
of well known security test sides we include. Other then that,
everything should end up in the database.

Common errors:

- Timezone: Make sure you got your time zone set right. Records that are
in the future will be ignored.

- parser issue where a new log file format is not interpreted right

- wrapped lines if a regular email client is used.

- authentication issue where the parser will not be able to authenticate
the log.


Jon R. Kibler wrote:
> Greetings:
> 
> I know that this is not the first time that I have posted on this topic... but, the problem seems to still be a problem.
> 
> It appears that the DShield database is not capturing all the records submitted. I submit log records hourly. The number of records I submit for a given day never seems to agree with our internal reports -- which have been verified against our DShield submissions. DShield always seems to only have a small fraction of our submittals.
> 
> For example, yesterday's DShield Report Summary:
> 
>>For 2005-10-07 you submitted 3360 packets from 793 sources hitting 39 targets.
> 
> 
>  From our own internal reports:
> 
>>Analysis of router log intrusion statistics for: Oct  7
>>Total log records:	      8793
>>Total packets:	     13709
>>
>>Unique sources:	      1719
>>Unique destinations:	        42
>>
>>
>>Packets by type:
>>	tcp	     11829
>>	icmp	      1615
>>	udp	       265
>>
>>	TOTAL	     13709
> 
> 
> Needless to say, they don't even come close to agreeing!
> 
> What got me checking again were scans to the external interface of one of our routers for a small netblock. I was seeing scans on port 12914 and I had no idea what was up, so I went to DShield Port Report to check it out. For yesterday it showed:
> 
>>   Date    Sources	    Targets	     Records
>>2005-10-07 	15 		7		39
> 
> 
> Well, that was fewer sources and records than I knew I had -- but for 7x the number of targets... so, obviously a problem! Here's what my logs show were submitted to DShield:
> 
>>$ router.count-port-sources 12914 'Oct  7'
>>SOURCES FOR SCANS ON PORT 12914
>>   9 61.172.245.247
>>   8 221.212.109.202
>>   7 202.103.178.130
>>   6 202.103.178.212
>>   3 222.188.127.29
>>   2 60.190.127.82
>>   2 222.191.251.104
>>   2 220.232.130.219
>>   2 218.22.154.37
>>   1 61.188.39.37
>>   1 222.217.221.85
>>   1 222.174.66.237
>>   1 221.231.121.33
>>   1 221.231.109.80
>>   1 219.128.2.230
>>   1 202.103.213.138
>>  16 Sources
>>  48 Packets
>>$ router.count-port-destinations 12914 'Oct  7'
>>DESTINATIONS FOR SCANS ON PORT 12914
>>  48 63.113.60.42
>>   1 Targets
>>  48 Packets
> 
> 
> 
> Even if the DShield database had not completely updated at the time the daily reports were run, checking prior days show similar discrepancies.
> 
> Questions:
> 	What is the problem?
> 	What is the fix?
> 	Does anyone have a clue what port 12914 scans are about?
> 
> Here are raw the data from yesterday:
> 
>>Oct  7 01:09:39 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
>>Oct  7 02:19:42 border6837 list 110 denied tcp 202.103.178.130(7000) -> 63.113.60.42(12914), 1 packet
>>Oct  7 02:25:41 border6837 list 110 denied tcp 202.103.178.130(7000) -> 63.113.60.42(12914), 6 packets
>>Oct  7 02:26:36 border6837 list 110 denied tcp 202.103.178.212(7000) -> 63.113.60.42(12914), 1 packet
>>Oct  7 02:31:41 border6837 list 110 denied tcp 202.103.178.212(7000) -> 63.113.60.42(12914), 5 packets
>>Oct  7 04:18:50 border6837 list 110 denied tcp 60.190.127.82(7000) -> 63.113.60.42(12914), 1 packet
>>Oct  7 04:57:37 border6837 list 110 denied tcp 222.174.66.237(7000) -> 63.113.60.42(12914), 1 packet
>>Oct  7 06:52:22 border6837 list 110 denied tcp 221.231.121.33(7000) -> 63.113.60.42(12914), 1 packet
>>Oct  7 07:07:50 border6837 list 110 denied tcp 60.190.127.82(7000) -> 63.113.60.42(12914), 1 packet
>>Oct  7 07:17:26 border6837 list 110 denied tcp 219.128.2.230(21) -> 63.113.60.42(12914), 1 packet
>>Oct  7 07:24:12 border6837 list 110 denied tcp 221.212.109.202(7000) -> 63.113.60.42(12914), 1 packet
>>Oct  7 07:29:50 border6837 list 110 denied tcp 221.212.109.202(7000) -> 63.113.60.42(12914), 7 packets
>>Oct  7 07:47:01 border6837 list 110 denied tcp 218.22.154.37(7000) -> 63.113.60.42(12914), 1 packet
>>Oct  7 07:52:51 border6837 list 110 denied tcp 218.22.154.37(7000) -> 63.113.60.42(12914), 1 packet
>>Oct  7 08:07:10 border6837 list 110 denied tcp 61.188.39.37(7000) -> 63.113.60.42(12914), 1 packet
>>Oct  7 09:25:27 border6837 list 110 denied tcp 221.231.109.80(7000) -> 63.113.60.42(12914), 1 packet
>>Oct  7 10:01:02 border6837 list 110 denied tcp 222.188.127.29(7000) -> 63.113.60.42(12914), 1 packet
>>Oct  7 10:06:54 border6837 list 110 denied tcp 222.188.127.29(7000) -> 63.113.60.42(12914), 2 packets
>>Oct  7 10:46:05 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
>>Oct  7 10:51:56 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
>>Oct  7 11:03:18 border6837 list 110 denied tcp 222.191.251.104(80) -> 63.113.60.42(12914), 1 packet
>>Oct  7 11:08:56 border6837 list 110 denied tcp 222.191.251.104(80) -> 63.113.60.42(12914), 1 packet
>>Oct  7 11:20:41 border6837 list 110 denied tcp 220.232.130.219(80) -> 63.113.60.42(12914), 1 packet
>>Oct  7 11:25:57 border6837 list 110 denied tcp 220.232.130.219(80) -> 63.113.60.42(12914), 1 packet
>>Oct  7 15:02:48 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
>>Oct  7 15:08:03 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
>>Oct  7 16:01:14 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
>>Oct  7 16:07:05 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
>>Oct  7 18:51:02 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
>>Oct  7 18:56:09 border6837 list 110 denied tcp 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
>>Oct  7 22:24:26 border6837 list 110 denied tcp 202.103.213.138(7000) -> 63.113.60.42(12914), 1 packet
>>Oct  7 23:56:37 border6837 list 110 denied tcp 222.217.221.85(7000) -> 63.113.60.42(12914), 1 packet
> 
> 
> Note that source ports are 80, 7000, and 21. Given how few port 7000 scans are reported in DShield, this doesn't seem to be backscatter...
> 
> Any thoughts, comments, questions, answers to my questions, etc. appreciated!
> 
> Jon Kibler
> --
> Jon R. Kibler
> A.S.E.T., Inc.
> Charleston, SC  USA
> _________________________________________
> Using .Net? Need to know more about .Net Security?
> http://isc.sans.org/banner_count.php?dest=dotnet
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20051009/f40147d5/signature.bin


More information about the list mailing list