Firewall Wizards mailing list archives
Re: "Who else picked this one up?"
From: "Craig H. Rowland" <crowland () psionic com>
Date: Sat, 1 May 1999 00:20:05 -0500 (CDT)
A few of us (some folks on the list and some of the folks at NFR) have been looking into adding a feature in the next version of Back Officer to allow someone to publish these kinds of records (potentially with a hashed IP address instead of the real one) to a central location for statistics, forensics, and to share within the security community. This would, I
This would be a very good service. At WheelGroup we wanted to do something similar with the deployed NetRanger IDS units but it never quite got organized, although it did happen to a small degree.
Anyone got thoughts they'd like to share about some of the information that might be worth gathering? We thought we'd start by correlating class C networks, correlating reverse lookups of domains, correlating type of service swept/probed, as well as (sometimes) parameters. I guess we're still at the "scratching our heads and thinking over the issues" phase.
I would agree with everything you have listed and would add: 1) Aggregate the order in which the ports are being swept to track what automated tool scripts are being used (most of which follow a pattern from what I've run across). 2) Track the type of scans being used (normal, stealth, odd packets) so scanning techniques can be monitored for sudden changes or new applications that haven't been reported yet. 3) Allow real-time tracking of scans on a back-end which would function like the MAPS black-hole. Systems could have a mechanism to tie into the database and adjust filters globally to block problem networks/hosts in near real-time across the Internet. This mechanism can be used by administrators to force problem networks to clean up their act or stay disconnected (Yeah I know this could have serious technical issues, but I can dream can't I?). It can also hinder widespread scans after a new vulnerability has been reported but patches have not been developed, etc.
We're aware of the CIDF work that IETF and others are doing, but don't want to do anything near as topheavy. I guess the goal of the project would be to get some statistics about how bad the scanning rate _is_ out there. From what we've learned by releasing BOF it's _LOTS_ worse than I thought.
I wrote my PortSentry tool (http://www.psionic.com/abacus/portsentry) after an evening of getting probed multiple times. Since the tool has been deployed I think people are starting to realize how bad the problem really is. I can promise just about anyone that if you take a stock Unix system and put it on a network unpatched that within 48 hours you will be cracked. The concentration of attackers has reached a truly epidemic proportion on the net.
mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
-- Craig
Current thread:
- Re: "Who else picked this one up?" Lance Spitzner (May 01)
- Re: "Who else picked this one up?" dreamwvr (May 03)
- <Possible follow-ups>
- Re: "Who else picked this one up?" Craig H. Rowland (May 01)
- Re: "Who else picked this one up?" R. DuFresne (May 01)
- Re: "Who else picked this one up?" Paul D. Robertson (May 03)
- Re: "Who else picked this one up?" R. DuFresne (May 03)
- Re: "Who else picked this one up?" David Lang (May 04)
- Re: "Who else picked this one up?" Paul D. Robertson (May 04)
- Re: "Who else picked this one up?" R. DuFresne (May 04)
- Re: "Who else picked this one up?" Paul D. Robertson (May 04)
- Re: "Who else picked this one up?" Joseph S D Yao (May 05)
- Re: "Who else picked this one up?" David Gillett (May 07)
- Re: "Who else picked this one up?" Paul D. Robertson (May 03)
- Re: "Who else picked this one up?" R. DuFresne (May 04)