[Dshield] Port Reports, etc.
Jon R. Kibler
Jon.Kibler at aset.com
Thu Jan 5 17:32:39 GMT 2006
OK, with everything that is going on this week and next, today is probably NOT a good day to bring this up... but I have that rare commodity -- time -- at present so I will at least bring up a couple of issues now. Sorry for the bad timing.
Looking at the port statistics maps, usually 50% to 75% of the scans being reported fall into the 'other' category. Looking at the top 10 ports report, seldom does any given port 10% to 15% of the scans reported.
When DShield first started, there were far fewer exploits on far fewer ports. Then, the 'other' category was usually far less than 50%, and often (as I recall) less than 20%. That gave everyone a good perspective of the 'big picture' as we could see all the major risky ports quite easily.
Today, because of the large number of scans, a 'Top 10 List' has become less useful than it was originally. What changes do I think would be good to make? Well here is my wish list. (If I had some time, I would volunteer to implement some of them, but until someone invents a 72 hour day...)
1) Three changes to the 'Top 10 Ports':
a) Change from 'Top 10 Ports' to 'Top Ports' and make the list arbitrarily long enough (within reason) to cover all ports that account for the highest 50% of ports scanned, with some reasonable cutoff, such as if a port accounts for less than 1% of scans, it is not included.
b) Change the color coding from the current <30/30-50/50+ g/y/r to something more indicative to today's scans, such as <15/15-30/30+.
c) Report TCP vs UDP for each port.
2) Back with nimda-killer, DShield stopped collecting ICMP data. At the time, I agree that was a good idea. However, we have now lost the ability to spot any early trends that may be ICMP related. (I know of at least 3 different ICMP protocol defect based exploits that have been published in recent months.) I believe that it would be a good idea to again start collecting ICMP data and publish ICMP stats by ICMP type/code. (Just eyeballing a few weeks of our internal reports, it appears that TCP ports account for about 65% of blocked scans, UDP ports about 20%, and ICMP about 15% on most days.)
3) On the port statistics maps by geographic region, show however many ports are necessary to keep 'other' at less than (in general) 50% and break out by protocol, including ICMP.
Anyway, sorry for the lousy timing of the request... but I thought I better put in my $0.02 worth while I had a few minutes to do so.
P.S. BTW, anyone else going to Shmoocon next week? Perhaps we all could have an informal DShielders get together?
Jon R. Kibler
Chief Technical Officer
Charleston, SC USA
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list