[Dshield] Port Reports, etc.
peteoutside at yahoo.com
Thu Jan 5 18:35:03 GMT 2006
"Jon R. Kibler" <Jon.Kibler at aset.com> wrote:1) Three changes to the 'Top 10 Ports':
a) Change from 'Top 10 Ports' to 'Top Ports' and make the list arbitrarily long enough (within reason) to cover all ports that account for the highest 50% of ports scanned, with some reasonable cutoff, such as if a port accounts for less than 1% of scans, it is not included.
b) Change the color coding from the current <30/30-50/50+ g/y/r to something more indicative to today's scans, such as <15/15-30/30+.
c) Report TCP vs UDP for each port.
2) Back with nimda-killer, DShield stopped collecting ICMP data. At the time, I agree that was a good idea. However, we have now lost the ability to spot any early trends that may be ICMP related. (I know of at least 3 different ICMP protocol defect based exploits that have been published in recent months.) I believe that it would be a good idea to again start collecting ICMP data and publish ICMP stats by ICMP type/code. (Just eyeballing a few weeks of our internal reports, it appears that TCP ports account for about 65% of blocked scans, UDP ports about 20%, and ICMP about 15% on most days.)
3) On the port statistics maps by geographic region, show however many ports are necessary to keep 'other' at less than (in general) 50% and break out by protocol, including ICMP.
Anyway, sorry for the lousy timing of the request... but I thought I better put in my $0.02 worth while I had a few minutes to do so.
P.S. BTW, anyone else going to Shmoocon next week? Perhaps we all could have an informal DShielders get together?
It's not apparent to me that Top-xxx reports carry much, if any, useful data, because usually no effort to attach any significance to the data is made.
For me DShield is useful for comparing my own networks with a larger sample. There are pretty simple statistical tests you can do to compare, say, the amount of 31337/tcp probes your home network gets to the amount seen on the internet at large; significant differences may mean that you're being singled out, which is highly valuable information to have.
Unfortunately DShield does not publish the overall number of reporting entities per day (that I can find), nor do they publish the standard deviation for a given port on a given day. Given those data I could make sure my tests were valid; at the moment, I'm just assuming they are, which may or may not be true.
I have pestered Johannes about these things before but so far he hasn't had the time to implement them...here's hoping for 2006 :)
Ring in the New Year with Photo Calendars. Add photos, events, holidays, whatever.
More information about the list