[Dshield] Port Reports, etc.

Jon R. Kibler Jon.Kibler at aset.com
Thu Jan 5 17:32:39 GMT 2006


Greetings,

OK, with everything that is going on this week and next, today is probably NOT a good day to bring this up... but I have that rare commodity -- time -- at present so I will at least bring up a couple of issues now. Sorry for the bad timing.

Looking at the port statistics maps, usually 50% to 75% of the scans being reported fall into the 'other' category. Looking at the top 10 ports report, seldom does any given port 10% to 15% of the scans reported.

When DShield first started, there were far fewer exploits on far fewer ports. Then, the 'other' category was usually far less than 50%, and often (as I recall) less than 20%. That gave everyone a good perspective of the 'big picture' as we could see all the major risky ports quite easily.

Today, because of the large number of scans, a 'Top 10 List' has become less useful than it was originally. What changes do I think would be good to make? Well here is my wish list. (If I had some time, I would volunteer to implement some of them, but until someone invents a 72 hour day...)

1) Three changes to the 'Top 10 Ports':
   a) Change from 'Top 10 Ports' to 'Top Ports' and make the list arbitrarily long enough (within reason) to cover all ports that account for the highest 50% of ports scanned, with some reasonable cutoff, such as if a port accounts for less than 1% of scans, it is not included.
   b) Change the color coding from the current <30/30-50/50+ g/y/r to something more indicative to today's scans, such as <15/15-30/30+.
   c) Report TCP vs UDP for each port.

2) Back with nimda-killer, DShield stopped collecting ICMP data. At the time, I agree that was a good idea. However, we have now lost the ability to spot any early trends that may be ICMP related. (I know of at least 3 different ICMP protocol defect based exploits that have been published in recent months.) I believe that it would be a good idea to again start collecting ICMP data and publish ICMP stats by ICMP type/code. (Just eyeballing a few weeks of our internal reports, it appears that TCP ports account for about 65% of blocked scans, UDP ports about 20%, and ICMP about 15% on most days.)

3) On the port statistics maps by geographic region, show however many ports are necessary to keep 'other' at less than (in general) 50% and break out by protocol, including ICMP.

Anyway, sorry for the lousy timing of the request... but I thought I better put in my $0.02 worth while I had a few minutes to do so.

Jon

P.S.  BTW, anyone else going to Shmoocon next week? Perhaps we all could have an informal DShielders get together?
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list