|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Attacks vs Probes
From: Javier Fernandez-Sanguino (jfernandez
germinus.com)
Date: Mon Apr 18 2005 - 05:31:35 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
James C Slora Jr wrote:
> We all have our opinions on whether to classify TCP Syns to filtered or
> closed ports as attack attempts or harmless portscans.
>
> Is there anyone on the list who has been running a very promiscuous
> honeypot, and who might be able to offer some statistics on the percentages
> of Syns that are connection initiations for attacks attempts versus those
> that are just portscans with no payload besides information gathering?
IMHO the problem is that the data is going to be biased based on the
specific technology of the deployed honeypot and the current attack
trends.
For example, if you have a honeypot running a web server you are going
to see a large number of connection initiation requests because port
80 is both port scanned and attacked rutinarily. Similarly, if you
have a honeypot with an SSH server you will see a lot of brute force
attempts.
Some raw data from our honeypots (from yesterday)
Windows honeypot (running IIS as well as some other services,
including FTP):
Tcp syns to honeypot = 111 (80 not targeted to port 80 or port 21)
Tcp syn-acks from honeypot = 32
Tcp Rsts from honeypot = 92
Tcp Fins = 31
So 27% of the TCP traffic are attacks that establish a connection.
Linux honeypot:
Tcp Syns to honeypot = 261 (95 not targeted to port 22)
Tcp Syn-acks from honeypot = 166
Tcp Rsts from honeypot = 104
Tcp Fins = 163
So, 62% of the Tcp syns are related to an attack, basicly SSH brute
force attempts and 1% seem to be probes for the SSH port (no data
transfer).
Regards
Javier
BTW, if you are curious, this is the protocol breakdonw of the 80 TCP
probe packets for the Windows honeypot:
protocol packets bytes
----------------------------------------------------------
[0] total 80 (100.00%) 4980 (100.00%)
[1] ip 80 (100.00%) 4980 (100.00%)
[2] tcp 80 (100.00%) 4980 (100.00%)
[3] ssh 8 ( 10.00%) 544 ( 10.92%)
[3] socks 6 ( 7.50%) 384 ( 7.71%)
[3] mssql-s 12 ( 15.00%) 720 ( 14.46%)
[3] irc6669 1 ( 1.25%) 54 ( 1.08%)
[3] other 53 ( 66.25%) 3278 ( 65.82%)
The 'other' is made up of probes to port 15118 (48%), 4000 (11%), 4899
(19%) and other ports such as 1025, 57, 6129, 2380, ...
And this is the breakdown for the 95 packets which are not SSH
connections to the Linux honeypot
protocol packets
------------------------------------------------------------------------
[0] total 95 (100.00%)
[1] ip 95 (100.00%)
[2] tcp 95 (100.00%)
[3] ftp 6 ( 6.32%)
[3] http(s) 2 ( 2.11%)
[3] http(c) 17 ( 17.89%)
[3] socks 6 ( 6.32%)
[3] mssql-s 14 ( 14.74%)
[3] irc6669 1 ( 1.05%)
[3] other 49 ( 51.58%)
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]