REN-ISAC debrief on Wed 8/13 activities

[Doug Pearson <dodpears () INDIANA EDU>]

REN-ISAC[1] Activities
Wednesday, 8/13

ANML[2] performed an analysis of Abilene NetFlow data covering the
period 0500-1400 GMT Wed 8/13 to identify the current top twenty AS
sourcing port 135 scans to Abilene. Within that top twenty list,
thirteen repeats from the 8/12 top twenty were seen.

An e-mail was sent to the top sources, describing (1) that their AS was
a top source, (2) worm traffic on Abilene is very high, (3) the REN-ISAC
is characterizing worm activity via Abilene NetFlow statistics, (4) a
pointer to mitigation techniques[3], (5) that filters need to be input
AND output, and (6) a breakdown of activity sourced within the AS, by
/21.

The e-mails were sent to 9 Abilene Participant universities, and 3
Abilene-connected aggregates. 8 of the top twenty source AS where very
large aggregates such as RIPE and APNIC. E-mails weren't sent to those
aggregates because our process for working them is still in
development.

In the very interesting results category, we've received four replies
from institutions stating that their networks are now corrected. Although
not stated, it appeared the corrective actions were taken as a result of
the REN-ISAC notices. Of the corrected sites, one site was the win and
show source on Tues/Wed. Comment from one site illustrated the common,
but incomplete, practice of applying only inbound filters, "We had the
filters applied on the inbound, but not on the outbound."

A graph, produced by ANML, of MS-RPC probe flows per second on Abilene
is attached. The source NetFlow data is sampled at approximately a 1:100
ratio. Actual flow counts are therefore higher. The graph illustrates
diminishing, although still very heavy, probe activity.


Regards,

Doug Pearson
Acting Director, REN-ISAC
Indiana University

[1] http://www.ren-isac.net
[2] http://www.anml.iu.edu/; The IU Advanced Network Management Lab
[3] http://www.cert.org/advisories/CA-2003-20.html

----
Doug Pearson; Indiana University; dodpears () indiana edu
Phone: 812-855-3846; Cell 812-325-3846; ViDeNet: 0018128553846
PGP: http://mypage.iu.edu/~dodpears/dodpears_pubkey.asc

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: ms-rpc-graph.pdf
Description: