Starting mid October, we did see a jump in the numbers of "source IPs" recorded by DShield. "Sources" are essentially the sources of packets dropped by firewalls and reported to DShield. While there are some false positives of course (so I wouldn't go as far as to say that all of these systems are exploited), the majority of these systems is typically part of a botnet or infected with the worm of the day.
For the last few months, he number of source IPs hovered at around 1 million per day. However, as of Oct. 18th, this number all for sudden surged to about 1.6-1.8 Million.This coincides with a dramatic increase in spam. While I haven't had a chance yet to exactly correlate this with spam numbers, the time looks suspiciously similar.
Note that the number of source IPs in our database not only correlates to the number of infected systems, but it is also related to how aggressively these systems scan. We did see one trend over the last year where infected systems scan less aggressively as they used to. This is somewhat part of the shift from random worms to more intelligent bots.
See below for a graph of source IPs vs. date for the last month. Note that this is still work in progress. We did not have a chance yet to eliminate all possible errors like a skewed submitter, an error in our data interpretation or the like. But the number of sources has been very steady since June (second graph shows the longer term numbers).
Update: A bit more analysis.... it looks like not all submitters are seeing the same increase. So either this is target, or there is some skew in the data. Some of the users seeing big increases are long time submitters.However, one particular new user reported from 900k sources! So this could very well cause issues.
Update(2): even after removing the suspect submitter, we still see a significant increase. So a lot of the 900k sources reported have also been reported by others. The total without the suspect submitter is about 1.2 Million sources post Oct. 16 (900k before).
I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022
Nov 7th 2006
|Thread locked Subscribe||
Nov 7th 2006
1 decade ago