Re: "Who else picked this one up?"

["Craig H. Rowland" <crowland () psionic com>]

> A few of us (some folks on the list and some of the folks at
> NFR) have been looking into adding a feature in the next version
> of Back Officer to allow someone to publish these kinds of
> records (potentially with a hashed IP address instead of the
> real one) to a central location for statistics, forensics,
> and to share within the security community. This would, I

This would be a very good service. At WheelGroup we wanted to do something
similar with the deployed NetRanger IDS units but it never quite got
organized, although it did happen to a small degree.

> Anyone got thoughts they'd like to share about some of the
> information that might be worth gathering? We thought we'd
> start by correlating class C networks, correlating reverse
> lookups of domains, correlating type of service swept/probed,
> as well as (sometimes) parameters. I guess we're still at
> the "scratching our heads and thinking over the issues" phase.

I would agree with everything you have listed and would add:

1) Aggregate the order in which the ports are being swept to track what
automated tool scripts are being used (most of which follow a pattern
from what I've run across).

2) Track the type of scans being used (normal, stealth, odd packets) so
scanning techniques can be monitored for sudden changes or new
applications that haven't been reported yet.

3) Allow real-time tracking of scans on a back-end which would function
like the MAPS black-hole. Systems could have a mechanism to tie into the
database and adjust filters globally to block problem networks/hosts in
near real-time across the Internet. This mechanism can be used by
administrators to force problem networks to clean up their act or stay
disconnected (Yeah I know this could have serious technical issues, but I
can dream can't I?). It can also hinder widespread scans after a new
vulnerability has been reported but patches have not been developed, etc.

> We're aware of the CIDF work that IETF and others are doing,
> but don't want to do anything near as topheavy. I guess the
> goal of the project would be to get some statistics about how
> bad the scanning rate _is_ out there. From what we've learned
> by releasing BOF it's _LOTS_ worse than I thought.

I wrote my PortSentry tool (http://www.psionic.com/abacus/portsentry)
after an evening of getting probed multiple times. Since the tool has been
deployed I think people are starting to realize how bad the problem really
is. I can promise just about anyone that if you take a stock Unix system
and put it on a network unpatched that within 48 hours you will be
cracked. The concentration of attackers has reached a truly epidemic
proportion on the net.

> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr

-- Craig