Re: Dos attacks
From: Copelandia Cyanescens (synesthesia_at_ix02x67invalid.net)
Date: 08/20/04
- Next message: Duane Arnold: "Re: help: Firewall disconnect internet connection"
- Previous message: Gath Graves: "Re: Netscreen 10 firmware needed please"
- In reply to: JC: "Re: Dos attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 20 Aug 2004 15:36:37 -0400
JC wrote...
> I hadn't thought about this enough as I missed both of your points. Thanks for
> the update.
No big deal. :) It should also be noted that normal internet traffic
would include a certain amount of "probing" by other systems... your ISP
for example, may test your connection to see if you're alive from time
ot time.
> Re the data gathering probes - could this account for the pings? Analysis of
> this month's probes so far shows that the top 3 contenders are:-
>
> Port probes - 675
> Pings - 167
> FTP - 37
That doesn't look at all unusual for a single system connected to the
internet in terms of volume. I've seen that much unaccounted for
activity in a single day, and a single instance of someone port scanning
your machine could *easily* make those number look pale in a few
minutes.
> The rest (130) fall into a range of categories - terminal services, telnet, Sun
> RPC, SSH, email, HTTPS, web (HTTP) and destination unreachable.
It's tough to make a guess without having more information, like timings
and samples of the packets. A ping followed immediately by a port
probing for instance could indicate someone trying to scan you. If you
see an ICMP timestamp request followed by a bunch of SYN packets, they
might be using nmap.
HTTP requests could be someone looking for unknown web sites, someone
looking for a particular version of IIS that might be vulnerable, or a
simple typo on some random web page.
Single "hits" might indicate a burp in routing, but something that
looked "systematic" could be exploration. If the timing follows a
distinct pattern it would indicate a machine at the helm. If you're
seeing almost random gaps between odd incoming packets it's likely a
person sitting there playing around. A series of three 376 byte packets
sent to port 1434 would probably be virus activity, most likely Sasser
looking for another victim.
And so on...
Just knowing you got 'X' number of packets in 'Y' period of time doesn't
tell you much outside how popular your machine is. You'd really need to
sit down and take inventory to glean anything useful. This is where IDS
and log analysis tools come in real handy. ;)
--
"I spent several years in a North Vietnamese prison camp, in the
dark, fed with scraps. Do you think I want to do that all over
again as vice president of the United States?"
-- Sen. John McCain
- Next message: Duane Arnold: "Re: help: Firewall disconnect internet connection"
- Previous message: Gath Graves: "Re: Netscreen 10 firmware needed please"
- In reply to: JC: "Re: Dos attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
