The last few spam incidents I measured an outflow of about 2 messages per second. Does anyone know how aggressive Telnet and SSH scanning is? Even if it was greater, it's my guess there are many more hosts spewing spam
While I don't do flow monitoring today, when monitoring for outbound spam with Wirekshark I have seen hosts systematically check all the hosts in the block for an open SMTP port. I'm sure a lot more is going on that I don't know. The patterns are obvious to the human observer -- too bad that such logic isn't built into the firewall. I know there are some enterprise security admins that subscribe to the approach that all inbound and outbound traffic is blocked by defacto, with a few ports opened up in either direction for known applications. Of course, port 80 becomes the port of choice for all the undesired apps. Frank -----Original Message----- From: Justin Shore [mailto:justin@justinshore.com] Sent: Saturday, March 08, 2008 12:28 PM To: frnkblk@iname.com Cc: 'Mark Foster'; Dave Pooser; nanog@merit.edu Subject: Re: Customer-facing ACLs It varies widely. I see some extremely slow scans (1 SYN every 2-5 minutes). This is what someone on the SANS ISC page mentioned I believe. I've also seen scans last for up to 10 minutes. The consistency of the speeds made me think that perhaps the scanning computer was on a slow link. The worst scans are the ones that last a second or two and hit us with a SYN for every IP in our allocations. That kind of scan and its flood of packets is the one that I don't think I can stop without some sort of QoS. I've seen coordinated scans with everything from 2 to about a dozen different hosts scanning seemingly random IPs across our network. I know it's coordinated though because together they hit every IP but never hit the same IP by more than one scanner. I've seen scans that clearly learn where the accessible SSH daemons are, that then feed this info back to the puppet master so he can command a different compromised host (or hosts) to then handle the attacks. I've also see a scanner first scan our network and then immediately start pounding on the accessible daemons. Finally I've see the scanner stop its scan in mid-stream, pound on an accessible daemon for a while with a pre-defined set of userids and then continue on with the scans. Clearly there's some variation in the scanning methods. Justin Frank Bulk wrote: than
there are running abusive telnet and SSH scans.