[unisog] Determining local servers and banners
Peter Van Epp
vanepp at sfu.ca
Tue Apr 5 01:23:56 GMT 2005
On Mon, Apr 04, 2005 at 04:54:44PM -0400, Harry Hoffman wrote:
> We don't have a way, currently, to grab udp servers. I understand that a
> similar setup could be done with argus and the "-M hostsvc" flags and I
> am currently investigating this option. Is anyone doing this?
No not like that. However depending on what problem you are trying to
solve argus may well be an answer. If you are trying to shut the server down
before it gets started, then indeed you are probably left with active probing
(and I expect a lot of expense for so so results) because as you note it is
hard (and only good for the point in time the scan has gone through). If
however your objective is to be proactive about shutting down such a server
(but are willing to allow it to send enough to be detected) then argus works
just fine. I tend to integrate traffic across 24 hours and find that "silent"
ftp servers that are being used are anything but silent. Their traffic spike
leaps right up and begs to be whacked off the network. Doesn't matter what port
(or protocol) they are using, to be useful they create an unusual traffic spike and traffic pattern which is fairly easily noticable.
I discovered months ago that the spamming community has taken to using
a compromised machine for 20 minutes or so in the middle of the night to spam
on the assumption that no one is looking (and not many complain). A slight
modification to the perl scripts that scan the argus logs neatly picks those
hosts out for toasting in the morning when I come in (which is how I know few
of them get reported, while I toasted them I didn't get any complaints about
their spamming in most cases :-)). While it would be more sensible to block 25
outbound (it has long been blocked inbound except for mail servers) enough of
our email client base sends small amounts of email traffic direct (which argus
also will report when asked) that our support folks won't agree to the ban.
Setting a threshold on emails per hour makes picking out spamming machines
reasonably easy (although it does need a human reasonableness check to be safe
:-)) without breaking legit use.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the unisog