Re: Attacks vs Probes

[Javier Fernandez-Sanguino <jfernandez () germinus com>]

James C Slora Jr wrote:

> We all have our opinions on whether to classify TCP Syns to filtered or
> closed ports as attack attempts or harmless portscans.
>
> Is there anyone on the list who has been running a very promiscuous
> honeypot, and who might be able to offer some statistics on the percentages
> of Syns that are connection initiations for attacks attempts versus those
> that are just portscans with no payload besides information gathering?

IMHO the problem is that the data is going to be biased based on the 
specific technology of the deployed honeypot and the current attack 
trends.

For example, if you have a honeypot running a web server you are going 
to see a large number of connection initiation requests because port 
80 is both port scanned and attacked rutinarily. Similarly, if you 
have a honeypot with an SSH server you will see a lot of brute force 
attempts.

Some raw data from our honeypots (from yesterday)

Windows honeypot (running IIS as well as some other services, 
including FTP):
Tcp syns to honeypot = 111 (80 not targeted to port 80 or port 21)
Tcp syn-acks from honeypot = 32
Tcp Rsts from honeypot = 92
Tcp Fins  = 31
So 27% of the TCP traffic are attacks that establish a connection.

Linux honeypot:
Tcp Syns to honeypot = 261 (95 not targeted to port 22)
Tcp Syn-acks from honeypot = 166
Tcp Rsts from honeypot = 104
Tcp Fins = 163

So, 62% of the Tcp syns are related to an attack, basicly SSH brute 
force attempts and 1% seem to be probes for the SSH port (no data 
transfer).


Regards

Javier

BTW, if you are curious, this is the protocol breakdonw of the 80 TCP 
probe packets for the Windows honeypot:

     protocol           packets                 bytes 
----------------------------------------------------------
[0] total               80 (100.00%)             4980 (100.00%)
[1] ip                  80 (100.00%)             4980 (100.00%)
[2]  tcp                80 (100.00%)             4980 (100.00%)
[3]   ssh                8 ( 10.00%)              544 ( 10.92%)
[3]   socks              6 (  7.50%)              384 (  7.71%)
[3]   mssql-s           12 ( 15.00%)              720 ( 14.46%)
[3]   irc6669            1 (  1.25%)               54 (  1.08%)
[3]   other             53 ( 66.25%)             3278 ( 65.82%)

The 'other' is made up of probes to port 15118 (48%), 4000 (11%), 4899 
(19%) and other ports such as 1025, 57, 6129, 2380, ...

And this is the breakdown for the 95 packets which are not SSH 
connections to the Linux honeypot

     protocol           packets
------------------------------------------------------------------------
[0] total               95 (100.00%)
[1] ip                  95 (100.00%)
[2]  tcp                95 (100.00%)
[3]   ftp                6 (  6.32%)
[3]   http(s)            2 (  2.11%)
[3]   http(c)           17 ( 17.89%)
[3]   socks              6 (  6.32%)
[3]   mssql-s           14 ( 14.74%)
[3]   irc6669            1 (  1.05%)
[3]   other             49 ( 51.58%)


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------