Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: The end of the trend - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The end of the trend
I used to be an avid reader of the port statistics of my firewalls, because I can remember a time when they actually told me something. Lately though - it must have started in the second half of 2006 - I've come to the conclusion that the daily stroll through the firewall stats isn't much worth my time anymore. Purists always considered "enumerating badness" as one of the dumber things to spend your time on, but fact is that statistical analysis of firewall drop logs did in the past successfully act as an early warning system for new nasties. My guess (and your opinion is of course entitled to differ) is that these days are past. Looking at my firewall stats, I see lots of things making their way to the top of the trend radar and blinking at me in scary red. Investigation turns out that it is - who knows what, some botnet gone wild, some kid boldly scanning the port no kid has scanned before. For the past months, things on top were invariably neither a trend nor a new attack, simply a random escape of the Internet's intestinal gas.

What really made me think though was the conspicious absence of telnet scans when the Sun snafu came to light a few days back. My stats, while covering lots of IP space, didn't show the scary bright red upswing of tcp/23 badness that - I admit - I was almost gleefully waiting for. Careful manual inspection then showed that - oh! - the telnet probing did happen at my perimeter, but it was well below the level of all that noise that makes it to the top of the "trend" radar. On one day, where a single IP address from South Africa slowly probed a good portion of my IP space for telnet, we also got slammed by a 2000-nodes-in-parallel scan for tcp/17458. And. And. Enough to make the telnet thingy rank on position 84, way below my attention span.

As a couple folks who are more savvy at inspecting network traffic than I am have suggested, trending and comparing the in/out flows on ports that are permitted through the firewalls is of much more value than converting the hits on dropped ports into colorful statistics. They are right - but, alas, as most commercial firewall log analysis tools show, enumerating badness is so much easier to do...
Daniel

367 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!