Security Incidents mailing list archives
Re: Attacks vs Probes
From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Mon, 18 Apr 2005 12:31:35 +0200
James C Slora Jr wrote:
We all have our opinions on whether to classify TCP Syns to filtered or closed ports as attack attempts or harmless portscans. Is there anyone on the list who has been running a very promiscuous honeypot, and who might be able to offer some statistics on the percentages of Syns that are connection initiations for attacks attempts versus those that are just portscans with no payload besides information gathering?
IMHO the problem is that the data is going to be biased based on the specific technology of the deployed honeypot and the current attack trends.
For example, if you have a honeypot running a web server you are going to see a large number of connection initiation requests because port 80 is both port scanned and attacked rutinarily. Similarly, if you have a honeypot with an SSH server you will see a lot of brute force attempts.
Some raw data from our honeypots (from yesterday)Windows honeypot (running IIS as well as some other services, including FTP):
Tcp syns to honeypot = 111 (80 not targeted to port 80 or port 21) Tcp syn-acks from honeypot = 32 Tcp Rsts from honeypot = 92 Tcp Fins = 31 So 27% of the TCP traffic are attacks that establish a connection. Linux honeypot: Tcp Syns to honeypot = 261 (95 not targeted to port 22) Tcp Syn-acks from honeypot = 166 Tcp Rsts from honeypot = 104 Tcp Fins = 163So, 62% of the Tcp syns are related to an attack, basicly SSH brute force attempts and 1% seem to be probes for the SSH port (no data transfer).
Regards JavierBTW, if you are curious, this is the protocol breakdonw of the 80 TCP probe packets for the Windows honeypot:
protocol packets bytes ----------------------------------------------------------
[0] total 80 (100.00%) 4980 (100.00%) [1] ip 80 (100.00%) 4980 (100.00%) [2] tcp 80 (100.00%) 4980 (100.00%) [3] ssh 8 ( 10.00%) 544 ( 10.92%) [3] socks 6 ( 7.50%) 384 ( 7.71%) [3] mssql-s 12 ( 15.00%) 720 ( 14.46%) [3] irc6669 1 ( 1.25%) 54 ( 1.08%) [3] other 53 ( 66.25%) 3278 ( 65.82%)The 'other' is made up of probes to port 15118 (48%), 4000 (11%), 4899 (19%) and other ports such as 1025, 57, 6129, 2380, ...
And this is the breakdown for the 95 packets which are not SSH connections to the Linux honeypot
protocol packets ------------------------------------------------------------------------ [0] total 95 (100.00%) [1] ip 95 (100.00%) [2] tcp 95 (100.00%) [3] ftp 6 ( 6.32%) [3] http(s) 2 ( 2.11%) [3] http(c) 17 ( 17.89%) [3] socks 6 ( 6.32%) [3] mssql-s 14 ( 14.74%) [3] irc6669 1 ( 1.05%) [3] other 49 ( 51.58%) -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Attacks vs Probes James C Slora Jr (Apr 15)
- Re: Attacks vs Probes Javier Fernandez-Sanguino (Apr 18)
- New variant against phpBB2? Mister Coffee (Apr 25)