|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re:
home: Is *anyone* really home there???From: William Annis (annis
BIOSTAT.WISC.EDU)Date: Fri Mar 03 2000 - 15:54:04 CST
- Next message: Dino Amato: "ingreslock message"
- Previous message: Filip M. Gieszczykiewicz: "Re: Cracked; rootkit - entrapment question?"
- In reply to: Greg A. Woods: "Re: home: Is *anyone* really home there???"
- Reply: William Annis: "Re: home: Is *anyone* really home there???"
- Reply: Russell Fulton: "scans with spoofed address (was home: Is *anyone*...)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>Date: Thu, 2 Mar 2000 16:34:30 -0500
>From: "Greg A. Woods" <woodsmost.weird.com>
>
>As a side note I should mention that I find it quite interesting that
>it's almost never the case that all of my hosts receive portmap requests
>from the same source.
I have seen RPC dump scans of our entire class C's originating
from the same source address. Of course I also see the random
requests from all over, too, spread over days.
> Either such tools are randomising the source
>address and using some other means of reply detection; or they are
>distributing the scanning (and not all scanners are operating in sync
>and thus the probes I see across my network are also randomly
>distributed in time);
Has anyone done any sort of statistical analysis of scanning
behavior against their networks? I came up with a fairly bizarre
mechanism inspired by my desire *not* to get paged for every single
host scanned. See http://www.biostat.wisc.edu/~annis/mom3/help/tr_event.html
for the algorithm which analyzes the rate of security events. It
seems to match fairly well for various port and service scans, at
least for the last few months of data.
I'd love to know if people have better mechanisms for event
time analysis.
> or perhaps people don't actually scan entire
>networks using this kind of test.
They do. It's very subtle. :)
Anecdote: I contacted the owner of one ISP after getting a
full RPC dump() sweep. He insisted up one side and down the other
that the source IP - his - was spoofed. Can anyone explain to me the
purpose of doing a dump() scan if you never see the data? I can't
think of anything, but information about low-level networking
sometimes takes me a while to absorb.
-- William Annis - System Administrator - Biomedical Computing Group annis
- Next message: Dino Amato: "ingreslock message"
- Previous message: Filip M. Gieszczykiewicz: "Re: Cracked; rootkit - entrapment question?"
- In reply to: Greg A. Woods: "Re: home: Is *anyone* really home there???"
- Reply: William Annis: "Re: home: Is *anyone* really home there???"
- Reply: Russell Fulton: "scans with spoofed address (was home: Is *anyone*...)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]