Hello, I am just curious about this. I see a rather unusual # of SNMP queiries and port scans from DSL IP blocks in the US... How many of you really go after the script kiddies doing this? I know 1, 2 or even 3 a day is not a concern for me, but when I get 3 a day from the same source IP allocation, I start wondering... Will anyone answer this? I know you may not be able to comment due to legal concerns.. But I am curious.. Thanks, Jim
On Thu, 13 Mar 2003, McBurnett, Jim wrote:
I am just curious about this. I see a rather unusual # of SNMP queiries and port scans from DSL IP blocks in the US...
How many of you really go after the script kiddies doing this?
I know 1, 2 or even 3 a day is not a concern for me, but when I get 3 a day from the same source IP allocation, I start wondering...
I know people like to use sensational terms like "pre-attack reconnaissance" and "DOS attacks." There is a constant background hum on today's Internet, some of it is malicious, some of it is badly managed systems. Between automated web spiders, academics doing network discovery, automated worms, and badly designed "plug-n-play" software, your IDS system should be seeing stuff all the time. The Pentagon used to report amazing numbers for "network attacks," anything from a single ping up to a full scale network compromise, but I haven't found recent numbers for 2002 or later. FedCIRC put out these numbers for 2002. Count Type 125 Root compromise 111 User compromise 46 Web Site Defacement 488,000 Reconnaissance Activity 36 Denial of Service 265 Malicious Code 22 DNS Attack 39 Misuse of Resources 1,268 Unknown
What does unknown mean? And how can you count it if its unknown? Not being silly, genuinely curious. ----- Original Message ----- From: "Sean Donelan" <sean@donelan.com> To: <nanog@merit.edu> Sent: Thursday, March 13, 2003 9:30 PM Subject: Re: DSL-IP Probes Curiousity..
On Thu, 13 Mar 2003, McBurnett, Jim wrote:
I am just curious about this. I see a rather unusual # of SNMP queiries and port scans from DSL IP blocks in the US...
How many of you really go after the script kiddies doing this?
I know 1, 2 or even 3 a day is not a concern for me, but when I get 3 a day from the same source IP allocation, I start wondering...
I know people like to use sensational terms like "pre-attack reconnaissance" and "DOS attacks." There is a constant background hum on today's Internet, some of it is malicious, some of it is badly managed systems. Between automated web spiders, academics doing network discovery, automated worms, and badly designed "plug-n-play" software, your IDS system should be seeing stuff all the time.
The Pentagon used to report amazing numbers for "network attacks," anything from a single ping up to a full scale network compromise, but I haven't found recent numbers for 2002 or later.
FedCIRC put out these numbers for 2002.
Count Type 125 Root compromise 111 User compromise 46 Web Site Defacement 488,000 Reconnaissance Activity 36 Denial of Service 265 Malicious Code 22 DNS Attack 39 Misuse of Resources 1,268 Unknown
On Thu, 13 Mar 2003, McBurnett, Jim wrote: :Will anyone answer this? I know you may not be :able to comment due to legal concerns.. But I am curious.. I can answer, I just can't tell you who I do it for. ;) (the point of the nickname, but I digress) Short answer is: the larger the victim network, the less likely a portscans will be followed up due to the increased probability of being part of some worms random propagation pattern, or the introduction of factors caused by the size of the network. What I have been trying to get done is a way of sorting incoming attacks by netblock, so that cases can be built against those netblocks (eventually ASNs ideally) . We can go to the ISP with the alerts originating from them over a period of time, and show that someone is making a concerted effort to violate our network policies, and be able to provide them with ample evidence instead of the cheesy dumps of isolated portscan alerts from IDS's that they usually get. Interestingly, the IDS alert sorting interfaces that I have seen (cisco, iss, snort, acid, intellitactics etc.) do not seem to be CIDR aware, or aware in a meaningful way which would facillitate the kind of follow-up I just described. They sort by lots of internal flags (src, dst, severity, type) but they do not allow the aggregation of sources to enable the co-ordination of a response with the offending network. It's like they designed the software without understanding the value of the information it was generating. The one blind spot in the query types you can do on them is the one thing that would make them generate valuable information. It's kind of a joke really. (If any of those vendors are listening, I just gave you a million dollar improvement to your product. Contact me off list on where to send that bottle of Macallan, or for a good charity to donate to.) So, as for your question, the answer is: maybe. Cheers, -- batz
participants (4)
-
batz -
McBurnett, Jim -
Scott Granados -
Sean Donelan