[unisog] Re: Re: Large Attack

Jeff Anderson-Lee jonah at eecs.berkeley.edu
Mon Mar 4 19:26:06 GMT 2002


DShield's current "Top 10" is by IP, not subnet.  I imagine you would 
get a somewhat
different result at the /8, /16, and /24 subnet level (or whatever it 
happens to be).  If
you simply cut off a single offending IP, most telecoms wouldn't notice 
or care.

Here are some interesting data from Dshield starting with some top-10 IPs:

IP Address: 24.98.96.250 HostName: att-98-96-250.atl.mediaone.net

24.98.96.*
Distinct IPs listed:3
Distinct targets:727543  (over 60K in the past 5 days)
First / Last entry: 2002-02-10 / 2002-03-03
[looks like a good candidate for the blacklist.]

But that's really a part of an AT&T Broadband Atlanta /16+ netblock:

Netname: ATTB-ATL-3
Netblock: 24.98.0.0 - 24.99.79.255

24.98.*.* Distinct IPs listed:244 Distinct targets:730396
24.99.*.* Distinct IPs listed:0 Distinct targets: 0

Do you single out the /8, the subnet, or all of AT&T Broadband for what is
mostly large attacks from a few hosts.


IP Address: 63.199.26.228 HostName: 
adsl-63-199-26-228.dsl.snfc21.pacbell.net

63.199.26.*
Distinct IPs listed:3
Distinct targets:24546 (all but 37 in the past 5 days)
First / Last entry:2002-02-18 / 2002-03-01
[a rising blacklist candidate?]

But this /8 is actually part of a PACBELL  /20 netblock.
(Pac Bell Internet Services (NETBLK-PBI-NET-7) PBI-NET-7)
Dsheild doesn't currently report at that granularity, so you have
to sum the parts:

63.192.*.* Distinct IPs listed:60 Distinct targets:3370
63.193.*.* Distinct IPs listed:114 Distinct targets:2982
63.194.*.* Distinct IPs listed:89 Distinct targets:7280
63.195.*.* Distinct IPs listed:89 Distinct targets:5931
63.196.*.* Distinct IPs listed:218 Distinct targets:9601
63.197.*.* Distinct IPs listed:89 Distinct targets:4566
63.198.*.* Distinct IPs listed:149 Distinct targets:6584
63.199.*.* Distinct IPs listed:157 Distinct targets:33180
63.200.*.* Distinct IPs listed:118 Distinct targets:7597
63.201.*.* Distinct IPs listed:192 Distinct targets:4004
63.202.*.* Distinct IPs listed:227 Distinct targets:5131
63.203.*.* Distinct IPs listed:223 Distinct targets:44490
63.204.*.* Distinct IPs listed:157 Distinct targets:7628
63.205.*.* Distinct IPs listed:259 Distinct targets:9157
63.206.*.* Distinct IPs listed:287 Distinct targets:7779
63.207.*.* Distinct IPs listed:251 Distinct targets:5837

It looks like a lot of attacks, but it is also a large chunk of the IP 
address space.
Still, the high numbers of IPs per/16 indicates a lot of poorly managed 
hosts
which is to be expected for mostly end-user managed hosts.

For comparison, here are some other /16s:

171.64.*.* Distinct IPs listed:40 Distinct targets:812 [part of 
NETBLK-SUNET]
128.83.*.* Distinct IPs listed:62 Distinct targets:1856 [UTAUSTIN]
128.32.*.* Distinct IPs listed:25 Distinct targets:2496 [UCB-ETHER]
128.210.*.* Distinct IPs listed:36 Distinct targets:30185 [PURDUE-CCNET]
80.11.*.* Distinct IPs listed:3916 Distinct targets:243856 [Wanadoo 
Interactive]

I think most people would agree that Wanadoo seems to be a big [repeat]
offender in this light.  What of Purdue?  One unlucky incident (29761 
attacks)
blemishes an otherwise fairly good record.  Do they get blacklisted?
For how long?

Jeff Anderson-Lee

Don Wolf wrote:

>In regards to your interest in seeing "a site to list 'dirty subnets' -
>those subnets from which we see
>repeated attacks", there is a great site in which to go.  DShield has been
>doing just that for some time.  Just thought I'd point it out for those who
>didn't know.  This link according to DShield "shows the top 10 offenders
>according to the DShield database".
>
>http://www.dshield.org/top10.html
>
>
>___________________________________
> Don J. Wolf - Security Consultant
> SANS/GIAC, MCP, CCNA, ICSA
> SecuredSite Intrusion Specialists
> www.SecuredSite.org
>




More information about the unisog mailing list