A Day In The Life Of A DShield Sensor - SANS Internet Storm Center

A Day In The Life Of A DShield Sensor
This weekend has been pretty smooth with respect to security incidents, so I thought I would show everybody what my DShield sensor is telling me about the unsolicited packets coming to my home network. I've been submitting packets to DShield for nearly 10 years so I've got a lot of historical data I can look back through. This is very helpful when trying to figure out if something is new, or if it's been here before. Here's what my report from yesterday (November 20, 2010) said: Day: 2010-11-20 Userid: xxxxxxxx For 2010-11-20 you submitted 7763 packets from 1352 sources hitting 3 targets. Port Summary ============ Port \| Packets \| Sources \| Targets \| Service \| Name ------+-----------+-----------+-----------+--------------------+-------- ------+-----------+-----------+-----------+--------------------+----- 6881 \| 7265 \| 1240 \| 1 \| bittorrent \| Bit Torrent P2P 23 \| 76 \| 75 \| 1 \| telnet \| 22 \| 6 \| 5 \| 1 \| ssh \| SSH Remote Login Protocol 14043 \| 16 \| 5 \| 1 \| \| 1434 \| 3 \| 3 \| 1 \| ms-sql-m \| Microsoft-SQL-Monitor 80 \| 3 \| 3 \| 1 \| www \| World Wide Web HTTP 500 \| 34 \| 2 \| 1 \| isakmp \| VPN Key Exchange 5060 \| 2 \| 2 \| 1 \| sip \| SIP 0 \| 17 \| 1 \| 1 \| \| 8000 \| 2 \| 1 \| 1 \| irdmi \| iRDMI 44859 \| 1 \| 1 \| 1 \| \| 49719 \| 6 \| 1 \| 1 \| \| 2304 \| 1 \| 1 \| 1 \| attachmate-uts \| Attachmate UTS 8443 \| 1 \| 1 \| 1 \| pcsync-ssl \| PCSync SSL 45890 \| 3 \| 1 \| 1 \| \| 50129 \| 1 \| 1 \| 1 \| \| 2489 \| 15 \| 1 \| 1 \| tsilb \| TSILB 8880 \| 1 \| 1 \| 1 \| cddbp-alt \| CDDBP 47028 \| 6 \| 1 \| 1 \| \| 50603 \| 263 \| 1 \| 1 \| \| Port Scanners ============= source \| Ports Scanned \| Host Name ---------------+---------------+------------ 88.69.244.106\| 8 \| dslb-088-069-244-106.pools.arcor-ip.net 221.1.220.185\| 3 \| 166.68.134.172\| 2 \| 85.114.130.94\| 2 \| o094.orange.fastwebserver.de 85.192.147.126\| 2 \| 85-192-147-126.dsl.esoo.ru Source Summary ============== source \| hostname \|packets\|targets\| all pkts \| all trgs \| first seen ---------------+-----------+-------+-------+----------+----------+------ ---------------+-----------+-------+-------+----------+----------+----- 1.53.88.8\| \| 971 \| 1 \| 1132 \| 1 \| 11-20-2010 113.22.207.92\| \| 408 \| 1 \| 208 \| 1 \| 11-20-2010 166.68.134.172\| \| 296 \| 1 \| 12492 \| 2 \| 11-13-2010 61.64.224.115\|-net.net.tw\| 80 \| 1 \| 142 \| 1 \| 11-18-2010 99.159.78.228\|cglobal.net\| 58 \| 1 \| 56 \| 1 \| 11-20-2010 118.166.218.29\|c.hinet.net\| 45 \| 1 \| 45 \| 1 \| 11-20-2010 123.0.72.24\|3.cc9.ne.jp\| 44 \| 1 \| 47 \| 1 \| 11-20-2010 41.133.190.65\|.mweb.co.za\| 42 \| 1 \| 103 \| 1 \| 11-18-2010 84.252.32.21\| \| 41 \| 1 \| 82 \| 1 \| 11-18-2010 82.226.17.57\|.proxad.net\| 39 \| 1 \| 74 \| 3 \| 10-29-2010 68.5.169.151\|.oc.cox.net\| 38 \| 1 \| 83 \| 1 \| 11-15-2010 77.76.128.133\|ilinkbg.com\| 36 \| 1 \| 43 \| 10 \| 11-13-2010 213.109.234.208\| \| 36 \| 1 \| 80 \| 1 \| 11-15-2010 114.156.127.176\|a.ocn.ne.jp\| 36 \| 1 \| 122 \| 4 \| 10-26-2010 58.114.142.76\|giga.net.tw\| 34 \| 1 \| 107 \| 1 \| 11-15-2010 41.236.243.205\|.tedata.net\| 34 \| 1 \| 39 \| 1 \| 11-20-2010 111.185.35.37\|albb.net.tw\| 34 \| 1 \| 88 \| 1 \| 11-13-2010 41.200.4.97\| \| 33 \| 1 \| 30 \| 1 \| 11-20-2010 116.49.85.149\|vigator.com\| 33 \| 1 \| 33 \| 1 \| 11-20-2010 84.54.184.2\|lingrad.net\| 33 \| 1 \| 77 \| 9 \| 04-04-2010 As you can see, I've got a lot of unsolicited Bit Torrent traffic, and quite a few intruders trying to telnet into my home system. All of these packets are dropped by my firewall, logged, then sent to DShield once an hour. In a perfect world I would not be seeing any SYN packets coming at my house since I'm not running any servers here. The large number of Bit Torrent is troubling, but I'm sure that it's because whoever owned the dynamic IP assigned to me was a Bit Torrent user and all of his peers are trying to reconnect. So what does your home DShield report look like? Getting anything you should not be seeing? In fact, are you submitting DShield data from your home network? If not, please do so! We can use all of the packets we can get, and doing this at home is a snap. The instructions are on the DShield site, and if you have any questions just let us know. We run a discussion list on Google Groups, so be sure to sign up for that too. Let us know how you use DShield via the comment link below. Marcus H. Sachs Director, SANS Internet Storm Center	Marcus 301 Posts ISC Handler
Reply Subscribe	Nov 21st 2010 7 years ago
A static DSL IP helps a lot to avoid rogue p2p traffic My IDS logs show the usual web exploits (mostly forum hax), spam relay searchers, and what disturbs me a bit: an ever increasing amount of ssh bruteforcing, mostly from sources in .ru and .edu. Shouldn't the latter have a decent level of network security? Seems several unis have wired their dorm networks directly to the 'net. Annoying, to say the least. If my router logs were a bit more machine parseable, I'd dshield them..	Anonymous
Reply Quote	Nov 22nd 2010 7 years ago