Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

Collecting Logs from Firewalls to Detect Crackers 138

Anonymous Coward writes "There is now a site dshield.org which collects firewall log excerpts to summarize and organize them in a database. The point is to single out script kiddies that scan large IP segments. It could all end up saving ISPs a lot of time running after / responding to gazillions of reports from users. Interesting: Right now, IPs used by @Home and RoadRunner to scan their users top the list. The site is only up for a couple of days. but already quite a bid of data has been collected. There is a little perl script that will automatically send Linux kernel log excerpts (ipchains style) to the sytem. ZoneAlarm logs can be processed as well."
This discussion has been archived. No new comments can be posted.

Collecting Logs from Firewalls to Detect Crackers

Comments Filter:
  • could be a useful site if the php didn't keep breaking.
  • I see a lot of netbios attacks... (139) and a lot of broadcasts to port 137. These are often windoze users who haven't wised up and are allowing their machines with file sharing do "network neighborhood" brodcasts looking for other machines...presumably on the same network. I even see broadcasts with destination addresses other than mine, but they're within the same subnet mask. I have to use some windoze stuff for my job, unfortunately, but I make sure that I filter those ports out both for ingress/egress. Since sometimes co-workers will drop by and just "plug in" to my network to be online, my filters protect them as well, even if they haven't turned off windoze file/print sharing.
  • The /. effect in action,

    Just went to the site and got;

    "Sorry, had to take the site temporarily down due to high traffic. Please try again tomorrow"
  • a guy i know, ok hes a prof of mine, set up his firewall so that if he was scaned, he would do a really nasty saint scan against the scannner.

    he had to stop when he got nasty phonecalls from @home asking why their machine would crash whenever they scaned his ip.
  • making some @home guy lose his account..

    sure! If @home even gave a shit about what their users do. I tried to report an @home user this summer for flooding my poor 56k connection and they ignored me. My ISP wouldn't give me a static IP to block it at the router, so I was basically screwed.

    doing something like this really doesn't help anyone. The ISP's have to cooperate (on both ends) and they normally don't care to.

    I wish that people would stop being gay and just use the net for what they should.

    That is just my worthless .02
  • Good point about spoofing; though because I spoke with @Home about it, and they stated that they did it, I would lean toward the DNS server being the culprit. All I can really do is to try to decode a packet and see if it shares the same MAC address as the router (not on same subnet as DNS server). If the same, I can't rule it out, if different, you are dead right.
  • Along with the IP of the offender the time is also logged -- granted, this means that you have to keep your clock in sync on your firewall. Using the IP and the time it occured it should be relatively easy for the ISP to hunt down whoever was using that IP at the given time.

    Justin Buist
  • You are right, was smoking crack when I said ACK. I haven't decoded a rogue packet yet, anyways. Though I was under the impression all a port scan did was send SYN packets out and wait for a SYN/ACK; it didn't bother with looking for the RST or trying to complete the 3-way handshake. If a SYN/ACK is received you got an open port, if not, you move on.

    Thanks for the correction!
  • Sorry, but the use of 8080 is rather obvious to me. I have one bizillion software trying to bind on that socket.

    But what's 2048 used for? A Trojan?

  • No problem! Though "trying on 53" comment lost me; what do you mean?

  • I've looked into this topic for a while, and there's one piece of advice about honeypots that none of these articles ever mentions: Don't put a honeypot on a network that you don't want attacked.

    It seems obvious, but I've talked to folks who were proudly saying that they were implementing honeypots on their production networks to make sure that they caught the kiddies.....great....yeah, let's just invite the kiddies right into your private network...that's a great idea. Remember folks, honeypots are fun...but only if there's absolutely no way that an attacker who gets in to the honeypot can do any *real* damage.

  • From the port list at http://www.isi.edu/in-notes/iana/assignments/port- numbers [isi.edu]

    • dls 2047/tcp
    • dls 2047/udp
    • dls-monitor 2048/tcp
    • dls-monitor 2048/udp
    • A DLS server is a Dynamic Lookup Service server that is used by Netscape Conference to find out who's logged on to to a particular audioconference or videoconference.

      No trojans use those ports as far as I know. Maybe some l33t hax0r has a script that hacks a DLS server for some reason?

  • by 0xA ( 71424 ) on Monday November 27, 2000 @01:25PM (#597913)
    The reason you are you get so much NETBIOS traffic has nothing to do with being scanned.

    When you enable a Windows machine to share resources it needs to decide what machine on the network is the master browser (A machine that contains a table of all of the NETBIOS machines on the network).

    When the machine starts it sends out some packets to decide who the master browser is. If nobody replies or if the present master browser is of a lower OS level than your machine, it will start an election to determine who the new master browser is.

    I am an @home subscriber in Calgary (shaw @home). I get this stuff bouncing off of my firewall all the time.

    Note: Please don't moderate as Funny. Yeah I know, it's rediculous but its' also how Windows OSs actually do this.
  • by aozilla ( 133143 ) on Monday November 27, 2000 @01:26PM (#597914) Homepage
    Gee, these are the people who are worried about people scanning them, so they send their logs about the scan to a site that doesn't even have enough money to withstand the slashdot effect? Can you say stooooooooopid?
  • What good does this do, exactly? So I guess @home and RR are always going to be at the top, since they constantly scan their customers. This will also put many IRC servers in the list, as they tend to scan for compromised machines. I honestly do not see how a scan from some kid who just downloaded his first copy of Back Orifice is a concern to me. If they were actually able to differentiate between actual attempted attacks and actual port scans, then I could see this being worth something.
  • by Phaid ( 938 ) on Monday November 27, 2000 @11:15AM (#597916) Homepage
    This is unfortunately going to become completely useless really fast, unless the people running the site take some active measures.

    At first glance, of the top 10 reported "attackers", one was an authorized security scan from home.com, two were 10.x.x.x addresses, and one was a 169.254 Windows AutoIP non-routeable address (and no doubt the port that address was "attacking" was UDP port 53).

    When all the world's cable modem users are encouraged to buy these "personal firewalls" which do nothing but trigger false alarms to show how "useful" they are, sites like this can't help but be drowned in a sea of noise.
  • better yet, once you have identified one of the bastards, nail'em with a ddos! sweet justice...
  • I understand the advantages of having a collection of data collected by your firewall in a centralized location but wouldn't this also permit computer criminals to see which attacks do not go unnoticed. Besides shouldn't an admin take responsibility and do log analysis themselves. I mean on large-scale networks it is totally impractical but still. One can't rely totally on these measures. :D
    .--bagel--.---------------.
    | aim: | bagel is back |
    | icq: | 158450 |
  • yeah, what you really need are multiple accounts. then your mod points can really be put to good use.
  • Someone moderate up that A/C... I would if I could (but of course I can't).

    That is a valid flaw in my reasoning. Fortunately, DDOS is not extermely easy (or else you'd see most of the net down weekly) right now. Unfortunately, with the vast proliferation of vapid sysadmins and closed source NOSs I think DDOS is going to become a major problem for ALL kinds of services on the 'net (not just the loss of service, but the permanent vandalism or destruction of service that can happen with faulty database information).

    Sorry, its late and I can't come up with a decent solution to this problem today. Maybe later... :-)
  • Don't have a Linux firewall (YET), but wouldn't

    ipchains -s $scanner -p tcp -d $ipaddress ALL -j DENY
    ipchains -s $scanner -p tcp -d $ipaddress 53 -j ALLOW

    be a more elegant solution? (assuming you can block everything off, except port 53, and that the rules regarding precidence allow it) While I had originally stated that only 4000-6000 were hit, trust me; I got scans on top of scans of top of scans.

    Admittedly, my ipchains experience is very fictional; though with DrawBridge for the secure BSD (Open? Free? I forget) you could do that.

  • ZoneAlarm rocks!!
  • True, but I really doubt that many sites think, "Hmm, I'm probably going to be /.ed pretty soon, I better add some protection into my httpd.conf". Without a warning, it's not the site's responsibilty to protect itself from some "unknown penguin-worshipping nerd news site" that a great many people, believe it or not, have never heard of. Furthermore, non-news links originating from slashdot, such as links in comments, or signatures would be filtered out along with /.ed urls from news posts. And as you already said, this won't stop the DOS, because merely typing the url into the location/address bar will give no referer.
  • Taking IP chains generated log lines makes for a nice little DoS of dshield.org once enough people figure it out. IP chains' kernel messages log one line per packet.

    Much more sensible is encouraging use of a proper logging package, i.e. iplog v2, with a good ruleset to remove false alarms.
  • by Anonymous Coward
    And neither is port scanning. If you don't want your box port scanned then take it off the internet.
  • The SANS Institute GIAC (Global Incident Analysis Center) has been doing this sort of thing since before Y2K. Its continually run and moderated by the leading intrusion detection professionals in the world (namely Northcutt, Breton, Pomeranz, Novak, etc..). Check it out [sans.org] Sorry, Intrusion Detection is an art, and requires alot more than posting firewall logs and using nslookup. -Thang
  • I'm also inclined to believe the nameservers are not portscanning you. Here's a brief (and incomplete) explanation of how a nameserver works.

    When your computer wants to look up an address using DNS, it will send a UDP "question" packet from some "high" port to port 53 of the nameserver. Then, after doing some magic to determine the address, the nameserver sends back a UDP "response" packet to the high port on your computer it got the question from.

    So, if you're getting a UDP packet from port 53 of a nameserver to a high numbered port on your machine, it generally means that either: 1) you sent a "question" packet to the nameserver, and it is politely responding to you, or 2) someone else sent a bogus "question" packet to the nameserver, but managed to spoof your IP instead of their own into the header of the packet, and the nameserver is politely responding to you, or 3) someone else is sending a bogus "response" packet to you, but managed to spoof the nameserver's IP instead of their own into the header of packet.

    There are probably a number of ways #2 (reply's to a question you didn't ask) could occur, ranging from normal network entropy, to some random dude mistakenly misconfiguring his machine, to some eleet hacker d00d sending out bogus "question" packets to the name server intentionally. With some imagination, I can construct scenarios where both #2 (spoofing the origin of the question) and #3 (spoofing the origin of the reply) might be beneficial to a hacker, but not in hacking your box. My imagination is fairly limited, though.

    To answer your more specific questions:
    • It is possible to send a packet to one IP of a multi-ip machine, and get a packet back from another IP of the same machine. This might trip your firewall. If "shouldn't" happen with a DNS server, but "shouldn't" and "can't" are two entirely different words.
    • If you want to find the format of a DNS packet, check RFC 1034 and RFC 1035. The biggest tip off that you're looking at a DNS packet should be that it originates from port 53 on the nameserver.
    • I would be very, very reluctant to say that "10 ports in a 20 port (high) range" indicate a port scan -- generally, people who really want to root your machine will only try a small handful of (low) ports corresponding to vulnerable services, and leave the rest untouched.
    • If you're seeing only a single "ACK" TCP packet, then someone sending out packets while poking into their TCP stack at a level deep enough that you shouldn't trust ANYTHING contained in that packet -- definately not the IP address, and perhaps not even the MAC address. If someone is on the same wire as you, then it is possible they could be sending out a series of packets with spoofed originating IP, and just passively sniffing on the wire to see how your machine is responding. (I don't know enough about cable modems to know how hackable the networks are, though.) If this is the case, the @Home nameservers have nothing to do with these packets.

    But I'm inclined to believe that these packets are nothing more than standard DNS packets, possibly being returned from the "wrong" IP of a multi-ip'd nameserver. You probably have nothing to worry about.
  • by Anonymous Coward
    It'd be interesting to see if/when this thing gets big, you could possibly cut off an innocent person from sites utilizing this by running psuedo scans under their ip (spoofing their ip).

    Example:
    running "nmap -S<target-ip> -e eth0 -sS -P0 -F '24.*.*.*' " would pseudo-scan a large block of cablemodem ips with target-ip. Assuming a lot of people picked it up and reported it, target-ip would be blocked from a number of sites without ever really doing anything.

    Course the whole packet spoofing thing _should_ be fixed in IPv6, but who knows when that's gonna happen.
  • It's their network; so, they are probably legal running port scans. If they found an FTP port open and tried to pull some data off, then you would have them.

    If you really want them to stop, play dumb, pretend you don't know it was coming from their machines and report it to their abuse department. If enough people do that, they'll decide it isn't cost effective and stop doing it.
  • by mwalker ( 66677 ) on Monday November 27, 2000 @11:01AM (#597930) Homepage
    It's a scoreboard for script kiddies!

    They're gonna spend all day trying to get their box to the top of "most active attacking IP".
    Like getting a slashdot fp...
  • Bugger off, I'm just pleased they aren't disguised goatse.cx links, like EVERY FRIGGIN OTHER comment with links that gets modded "informative".
  • To enhance my above trick, let them scan themselves for you.

    Turn up the OS level on Samba, enable Browse Master and Local Master, set it to share squat over the public Ethernet addy. DHCP ensures you can snag the correct machine/domain/workgroup. Snag all the machine names that now appear in your browse list. Import into a script that copies said file into startup and sends a SMB message at the same time.

    I think the list will be shorter next time you run it.
  • by bl968 ( 190792 ) on Monday November 27, 2000 @11:18AM (#597933) Journal
    InfoWorld had an interesting article [infoworld.com] on the success of using easy to hack systems to trap and analyze hacker attacks

    Another article entitled Honey pot networks can gather evidence for catching and prosecuting hackers. [infoworld.com] is also on InfoWorld

    The site these articles are based off of is located here [enteract.com]. There are a lot of interesting whitepapers and other materials including the scan of the month to enthrall the slashdot crowds
  • or if this service starts to bug the script kiddies they just set up a few boxes to autosubmit garbage and BS logs, and flood the database with rubbish making it a useless tool.
  • Why so many on 8080. Looking for a proxy server to anonymize their surfing?
    --------
  • by FeeDBaCK ( 42286 ) on Monday November 27, 2000 @11:20AM (#597936) Homepage
    Quite honestly, this is why Managed Security Providers are becoming more popular. You pay someone else to monitor your company for attacks. Most companies cannot afford to staff their own network security team to audit security on a regular basis and to watch logs in real-time.
  • If routers, gateways, and firewalls are collecting data to track crackers, what else are they doing with that data? maybe logging what IP address goes to what site for marketing purposes. Or for political blackmailing. If these machines are collecting data, maybe they ought to have a privacy policy and offer me a chance BEFOREHAND to opt out, or route around the offending router. This information should be obtainable via a traceroute. And what about Truse-E certification?
  • by Bob McCown ( 8411 ) on Monday November 27, 2000 @11:21AM (#597938)
    It might keep them out of our hair, though. Maybe they'd be too busy attacking each other to worry about the big sites...

    I just had a thought (Yea, I know, first time for everything). Would these very same script kiddies on cablemodems be called @homeboys?

  • It sure would be nice to substitute a shell script or a small C program for that Perl script. Many folks run full Linux distros on their desktop and relegate the firewalling duties to small routers running something like LRP [linuxrouter.org] without software packages as huge as Perl.
  • Is this really a good idea? I keep thinking there has got to be a security hole in here someplace. I can't figgure out where, but I can't convince myself that there isn't some risk (not nessicarly security though that comes to mind) running this.

  • If you are on AOL, then you'll need more than Black Ice to save you.
  • Find it at:

    http://www.insecure.org/nmap/index.html

    right? I didn't read the specs on it; I thought it's main use was fingerprinting OSes remotely by TCP/IP stack analysis. Thanks for the tip!
  • Nah... a portscan might just send an "ACK", too. In fact, a cracker could be sending just about anything, including bogus source IP addresses, even if its to do nothing more than figure out how your firewall is filtering out packets.

    But if @Home is actually responsible for the packets, I can't imagine any reason they would do anything besides check to see if the port is open and unprotected, and the simplest way to do that is to try to set up a plain, vanilla connect() scan (beginning with a "SYN" packet, not an "ACK"). If anything as "clandestine" as unexpected bare "ACK" packets show up from random @Home hosts, I'd be suprised if @Home were actually responsible (unless they somehow hired an incompetent script kiddy as a sys admin, which might not be that suprising).

  • I'm not the original poster, but I'd just like to say thanks for the enlightenment. DSL is coming my way soon so I'm trying to brush up on firewall issues so as not to get burnt.

  • The problem then being that for @Home subscribers (like myself), you can't block the addresses for @Home servers.

    As an @Home subscriber, I am routinely probed at high (>1024) ports for TCP *and* UDP by the @Home *DNS* servers (either primary or secondary, forget which one). When I phoned to complain, here is the reasons I got for it:
    1) They were verifying my connection.
    2) They were checking to see if I had any illicit servers in that range (from UDP 4000-6000, got to make sure that I don't have a rogue licensing server there)
    3) They were sending packet data to my cable modem, NOT my computer.

    After I heard excuse number three, I realised the advanced level of stupid I was dealing with, and promptly disengaged the phone call.

    Still leaving me with the original problem; that @Home's DNS servers are port probing me.

    What are the legal ramifications of this? This is unwanted traffic; doesn't that constitute cracking? Isn't that illegal? Can I talk @Home to court for this?
  • Could someone please explain how ones happiness or sexual orientation (depending on use of gay) is in any way related to packet flooding, port scanning or 'use the net for what they should.' ? Thanks, Michael
  • Let me write the text of the letter for you:
    Dear @home:

    Your nameservers are sending packets to my computer, and I would like it to stop immediately.

    I realize that ever "name" on the internet is associated with network "addresses". Further, I realize that nameservers are vitally important for mapping those names to network addresses, and that these addresses are fundemental to the operation of the internet. However, I would like your nameservers to communicate the network addresses of hosts on the internet without connecting to my machine across the network, or sending information directly to my machine in any way.

    I would be much more comfortable if you would simply mail me the current network addresses for the hosts I wish to visit -- I've included 132 self-addressed, stamped envelopes for this purpose.

    Thank you,

    [Signed] Clueless.
  • hehe yeah.. dont blacklist the clueless 14 years old Back Orifice scanning bitches, cos they'll be great hackers in the future. whatever.
  • by Anonymous Coward
    Bad analogy.

    The security of his neighbor's houses doesn't directly affect him, or his security (though it could indirectly encourage burglars to try his house also). However, an insecure web-server - which would contain his personal information, likely including credit card details - would have a direct effect on him. Therefore, running your own tests is a reasonable thing to do.

    It's comparable to a credit company running checks on you to see if you are trustworthy.
  • 24.0.0.203 usually is used to scan for NNTP servers (I get scanned every two hours pretty much to the minute)

    You are not allowed to run an NNTP server?

    --

  • not a counter measure, just a tool.

    besides, most hackers are naive script kiddies or knowledgeable but naive *nix users. Sure there are some talented and gifted folks out there, but just look at the ones who get caught and become darlings of the press. If it cuts down on the number of script kiddies who pull off the amazing feat of bringing down a website, i say use it.

    --
  • Using the IP and the time it occured it should be relatively easy for the ISP to hunt down whoever was using that IP at the given time.

    Public Service Announcement: Log entries are usually recorded using your local time, so you should always include a mention of your timezone when mailing the ISP your logfiles.

    As for dshield.org, according to this [he.net], their internal format doesn't bother with the time of the incident; only the date. This, unfortunately, means that dshield is pretty impotent when it comes to dealing with dynamic IPs. If I remember, I'll try getting in touch with the guy who's running it after the Slashdot tide dies down. If run properly, I could see this easily becoming the anti-script kiddie equivilant to SpamCop [spamcop.net].

  • When I was in the Hofbrauhaus two sumers ago, they actually had a coin-op BAC meter near the restrooms. Yes, there were contests.
  • >Is there anyway to make sure that this will not happen?

    Well, since the faked logs are unlikely to be widespread (or even if they are, the "reverse attacked" IPs are all going to be different) you could simply have a maximum attack count per host. Say, if a host is reported by someone more than twice per day, no more attacks are counted against that machine from the other machine for that week.

    While script kiddies are losers that want to ruin these datasets, they all have different people they'd like to see kicked (usually some kid at school, or their next door neighbour). Unless they all ganged up together (and, by definition of being a loner/cowboy cracker that virtually never happens) and attacked one person, there'd be no problem.

    You could also set the DB up to auto-ignore entries from a host if they go over "magic" trigger levels. Say a host reports 100 attacks from random IPs a second for the past 24 hours. No way that would happen. Plonk them onto the month long blacklist-blacklist.

    A nice idea would be a complaints procedure whereby a user who is repeatedly listed as running scanners could request dsheild to investigate. Maybe if only certain IPs (over similar physical localities) _ever_ reported any cracking attemps they'd consider putting the IP on some form of a "limited ban" list.

    They could also implement some form of peer evaluation system where certain "good" or "longtime" users get "points" to boost or lower values on the list... Sorta like slashdot moderation. [Perhaps this isn't such a hot idea after all.]

    Not only that, but IMHO it is truly impossible that multiple script kiddies across multiple subnets across the world are going to lie about the same IP. If slashdot.org's reporting is correct (that would be a near first), that is what dsheild wants to do. List users who abuse big subnets.

    I'd see what dsheild actually says, but I can't even get past the 502 on their front page. Uggghh...
  • I know a small porportion of people who use something being "gay" as it being stupid. AFAIK it has nothing to do with the sexual orintaion or happieness of said individual, or company, but just that it's stupid. I know that South Park uses that phrase that way as well. I don't believe that there was an insult to gays (I believe he would use the word "faggot" in that case)

  • by Patrix ( 6567 ) on Monday November 27, 2000 @11:34AM (#597958) Homepage
    That may be all good and well (taking into consideration what others said already...)

    But what about dynamic ip addresses? Most of the scans I get are from such connections... so if I would send my logs to dshields, they would log this ip as an attacker? unreasonable... that's like saying I'm the serial murderer because I sat in the same seat he did a few weeks ago in the bus...

    Patrix.
  • And what they will get with this? The Bad Boys List? Another base for Katz to write "Voices on Hellmouth, Part X"? Most script kiddies who do large scans are what they are - KIDS! So I don't see the line, except that this will be another base to harass teenagers who may later turn into something or somebody, but who are put in the corner right from start... Most of these kiddies are people eager to learn something and to get into the computer farmland. However, they go the script buzz harassment because of the mass media, Holywood and the urban legends poisoning their brains and telling them that being underground is the way for the hacker. And while there is some truth on this, it does not mean that script kiddie should harass 10000 users to reach illumination. On the contrary. But it is not this way that we will help kiddies to understand the wrong sides of playing scannings, exploits and other stuff. We will only marginalize them. Put them in a black list. It will look much like those black lists in the 30's, 50's, where very intelligent people was marginalized because it had some schizo on leftist ideas. That's what will happen.

    We know how the hacker community was born. We know that we are not saints, but our sins do not give the right to someone to outlaw people, because there were/are mistakes being made. I myself broke/crack/hacked things 15 years ago, much the same way these kids play now. I know that some of my best colleagues and friends were among the darkest crackers at the beginning of the 90's. To be sincere with you people, I also passed a good time, somewhere in this world, as some "The BlackStar" on the dark underground of the hacker community (Hey I'm not hijacking names, I know that there are a few BlackStars and some are much more notorious and thougher than me, but I choose the name originally. In fact, I still use it but in other translation). Frankly to the script kiddies I would say one thing. Yeah it is great to scan and crack things. But that's child's play. Frankly people didn't worry too much about such kind of things. The worse is not when you destroy but when you build. Because it is much harder to do it. And the worst of all when you show that you're damn good at buidling something. That was the moment when bullets started to fly around, because for some people it is better to live on the swamp of ignorance and mischief. Cracking and breaking programs gives some knowledge, but you don't get far with it. Wanna be a hacker? A damn good hacker? Stop harassing your neighbour as he has ten other kiddies to deal with. Build something, help people. But beware, that's the time when other will start to really envy you and be scared of you... Knowledge is a dangerous weapon to live with.

    I would act this way. Meanwhile, such lists, are only ground for a new "geek jerks" generation. buy a mug with a penguin, install Linux (after tenth attempt with some help from the side), and say you're in the community...


  • > so when you move into a neighborhood, do you
    >twist everyones doorknob and car door and try to
    >open everyones window, just to "know
    > what kind of security they have in place"?

    Before I loan you any equipment, I'd like to know
    that you keep your doors locked, etc.

    And at a professional level, I like to make sure
    that you can be a responsible caretaker for musical instruments, recording gear, etc.

    As a neighbor, I wouldn't loan you any tools if I
    thought you'd leave them out in the driveway, or in an unlocked garage.

    How is this "twisting doorknobs and trying to open windows?"
  • And what about things like DHCP? That too will make some poor sap unable to connect to some computers becuase some 3l33t hax0r was using the IP that he has now...
  • by Marc Boucher ( 235490 ) on Monday November 27, 2000 @02:48PM (#597965) Homepage
    I'm connected with an ADSL modem on a Linux fw. I'm subscribed since last October and until early november I've encountered many NetBIOS scans from fellow clients of my ISP. After some investigation I've discovered that it was in fact caused by a virus/trojan named "W32/QAZ.worm" (for a description read this [mcafee.com]).
    So, I will urge everyone to check their computer, mostly windoze users, for this kind of trojan. It's kind of sticky and fast breeding.
  • Yeah, but this allows for an expansion -- you can send the smallest possible ICMP_ECHO packets to someone using automatic dshield.org reporting, even undersized perhaps, and get them to automatically send 120 bytes for each to dshield.org
  • by Restil ( 31903 ) on Monday November 27, 2000 @03:04PM (#597969) Homepage
    November 28, 2000:

    dshield.org, a new service designed to analyze firewall logs to look for suspicious activity, submitted its own firewall logs for analysis. To their great surprise, they appeared to be the subject of a giant DOS attack that lasted for 24 hours, as out of nowwhere, nearly 700,000 computers around the world accessed the website.
    Due to the enourmous hits, the site was frequently unavailable for legitimate users. Officials suspect foul play, but have been unable to determine a motive for the unprecedented attack. "This is precisely the reason we developed this system; to expose the origins of potential attackers and allow the user to take appropriate action". When asked if it was possible they were simply the victim of the feared "slashdot effect", those allegations were denied. "As soon as our bandwidth returned to normal, we checked out this slashdot.org but saw no mention of the site anywhere on the front page. We checked the logs and found only one refrence from slashdot.org. Although it appears right before the attack began, we are certain that this is only a coincedence.

    :)

    -Restil
  • by Stavr0 ( 35032 ) on Monday November 27, 2000 @11:36AM (#597972) Homepage Journal
    To: authorized-scan1.security.home.net
    From: subscriber@home.net
    Subject: Repeated attacks

    Hello,
    Your system scanners has repeatedly triggered alarms on my firewall. These are unauthorized access of my personal computer
    Please terminate these scans immediately or I will have no other choice but to apply a $10 discount to my @Home bill for each security incident.
    Yours truly, @home customer

    From: @HOME tech support
    To: @HOME customer
    Subject: RE: Repeated attacks

    Hhhhhhhhhhmmmmmmpfffffffffrrrrrrrr BHAHAHAHAHAHAH!!
    Pay your fucking bill in full now or we'll TOSs ya.
    @home techie
    ---
    Inanimate Carbon Rod thanks you for your support. See you in 2004!

  • by FeeDBaCK ( 42286 ) on Monday November 27, 2000 @11:38AM (#597973) Homepage
    Those personal firewalls quite frankly piss me off. Yes, you are going to get scanned at some point by somebody trying to exploit something. Most people who run a personal firewall generally do not have much knowledge about network security, or else they would be using a better solution. These personal firewalls do nothing more than scare the user into thinking he is constantly being attacked by the 31337 h4x0rz all over the Internet that are out to steal his goatsex porn on his computer and hack into his bank account to buy a new Ferrari with his account number. There is quite a bit of useful information that can be gathered from these firewalls, but the people that they are marketed towards are not the people who would understand what any of the data means. I would think it would be much better if the firewall designers made it easier to configure. Base the firewalls on service names instead of ports... things like that. I have friends that are on cable who call me or e-mail me almost constantly with snippets from their logs of their personal firewall asking wether or not something is an attack. I would say that almost everything I have ever recieved has been valid data from a host that they were interacting with...
  • This is exactly why public blacklists never work. The entire system is based on the assumption that the data you're feeding into it is valid. However, in reality, you have no idea from who or where the data is coming from, nor do you have any way of telling how much of it has been tampered with other than basing it on the honor system. You can't assume that any of the data you receive is valid.
  • by technos ( 73414 ) on Monday November 27, 2000 @11:42AM (#597975) Homepage Journal
    I used to see that a lot during LAN parties. The easiest way to correct the behavior is to scare them a little; Copying a little VB executable that shows a hard warning into Windows/Start Menu/Programs/Startup/ works on Win9x machines. NT machines are easier. smbclient -M helps them stop, as anyone stupid enough to enable SMB doesn't have a clue on how to disable the Messinger Service.
  • And what about things like DHCP? That too will make some poor sap unable to connect to some computers becuase some 3l33t hax0r was using the IP that he has now...
  • by platypus ( 18156 ) on Monday November 27, 2000 @12:24PM (#597977) Homepage
    Or that

    nslookup slashdot.org
    Server: localhost
    Address: 127.0.0.1

    Non-authoritative answer:
    Name: slashdot.org
    Address: 64.28.67.48

    Heh,

    root@localhost> nmap -S 64.28.67.48 -e eth0 -sS -sU -p 0-65535 www.nsa.gov www.fbi.gov www.cia.gov '*.*.*.*'

    (hits enter end runs...)

    For those which don't know and are to lazy to look up, an exerpt from nmap manpage:

    -S
    In some circumstances, nmap may not be able to
    determine your source address ( nmap will tell you
    if this is the case). In this situation, use -S
    with your IP address (of the interface you wish to
    send packets through).

    Another possible use of this flag is to spoof the
    scan to make the targets think that someone else is
    scanning them. Imagine a company being repeatedly
    port scanned by a competitor! This is not a sup
    ported usage (or the main purpose) of this flag.
    I just think it raises an interesting possibility
    that people should be aware of before they go
    accusing others of port scanning them. -e would
    generally be required for this sort of usage.
  • this project makes too many assumptions that everyone uses their boxen to sit around and block packets consider that a 10.x.x.x ip address was in the top ten shouldnt that kind of data be parsed out? Along with the potential for faked logs and unreliable data sources, it was a good thought but implamentation requires a bit more effort than a lil perl script that sifts through my logs. I hope they consider the bulk per user submissions when accepting data so as to not have a poisoned database. What about people scanning their own machines for their own security's sake? Or someone who was authorized to do it via an aup if @home scans me because i signed the aup that makes it ok, so if my ip is in the @home network that should not be considered an attack or even an intrusive scan because it was authorized when i signed on for the service. You can see where this is going a whole lot of very subjective data...
  • by Barbarian ( 9467 ) on Monday November 27, 2000 @12:27PM (#597980)
    Looking at my logs, generated by iplog2, I about 5% of the stuff is anything to worry about. The rest is:

    @Home scanning for news servers.
    an occasional ping
    Napster.

    I have my rules set up to the best of my (experienced) ability to eliminate irrelevant stuff. By default, most of the logging packages log everything (i.e. ftp-data connections).

    If you ever read some of the newsgroups where the same users who will be using dshield.org post, you'll see that they don't know how to tell an attack from normal activity. Unforunately I can't find some of the usual "NOTICE TO WHOEVER PINGED ME: SEND ME A PING AGAIN AND I'M CALLING THE FBI AND GETTING YOU CUT OFF FROM AOL NOW LET'S BURN THE WITCH" postings today in athome.discussion-security, but they're usually there.

    The "firewall" programs that most users use don't give them any help in telling the difference between a genuine 'attack' and between their web browser downloading a file using *gasp* an ftp-date connection.

  • On "first glance" at the comments, the top two comments I see are:
    1) Logs can be forged
    2) They're showing the @home portscanners, and reserved netblocks on their top ten (bwuhahaha, look at them, they're so stupid)

    in response to 1) there are hundreds of ways any reasonably intelligent coder could check the submitted data, to make sure the logs make logical sense.

    On top of that, the whole POINT of this service is to identify people scanning whole netblocks, and then submit that report to some other agency (who would then, what? Automatically say, "well, this site said so, let's unplug the little fucker" without doing their own background check? I think not). This is all about COMPILING data, to try to learn some really interesting things about who and how many netscans there are in a given day.

    In my personal opinion, this is a far more useful and important security measure, than anything security focus, or any of the other SUBMISSION based security alert services give, because they're collecting TONS of data.

    Think about it for a minute, if everyone starts submitting their logs, the minor forged log every now and again will be ignored by virtue of the immense amount of legitimate information streaming in...

    on the second complaint: Get over yourselves! Just because you weren't ambitious enough to start a project like this, doesn't mean that you're smarter than they are. Don't you think they'll start to make corrections once they start analysing their data? It takes time, and submissions, people.

    Just think about the potential security gain if this is successful. This is a user driven ORBS database, which could, with a little HELPFUL nudging be very useful for the security minded.
  • As am @Home subscriber, I am routinely probed at high (>1024) ports for TCP *and* UDP by the @Home *DNS* servers

    I hate to break it to you, but that's not a portscan. If you are running a forwarding nameserver, put the following in your configuration and I bet anything that will go away:

    query-source address * port 53;

    Basically, you are sending them DNS requests from that port, they are replying, and you are denying the replies. This line makes all DNS queries come from the domain port. They will then shift their replies to be addressed to your domain port.

    @Home does do portscans, yes. But not from their DNS servers. Back when I used to pay attention to such things, they quite annoyed me. But I just blocked 24.0.94.130 (authorized-scan.security.home.net) and they went away.

  • by ichimunki ( 194887 ) on Monday November 27, 2000 @11:49AM (#597985)
    I'd suspect that this is a relic of test logs generated by running portscanners on a LAN to build up a record set for the database. They say the data is not very reliable yet.
  • by wowbagger ( 69688 ) on Monday November 27, 2000 @11:51AM (#597986) Homepage Journal
    Several posts have asked, "How can they prevent someone from faking the logs?"

    It looks like you have to sign up with these guys, and get an ID from them, before you can contribute. Therefor, anybody wishing to poison the database must give a valid e-mail. Presumably, the only way an IP will get in the top ten is if MORE THAN ONE person reports it. Also, I'm sure that any e-mail address that is found to be submitting bogus data will be dropped in a heartbeat.

    However, I'd want to put a little "noise filtering" on the scripts from my system: I frequently have www.grc.com scan my system to make sure nothing gets screwed up, and I'd hate to get Gibson Research in trouble. Also, on occasion one of my friends machines will trip my firewall.

    What we need is for this data to be collected and the offending ISPs made to solve the problem. Too many ISPs have the attitude of "not my yob": unless you grab their testicles with a rusty pair of pliers and threaten to have your laywer twist if they don't take action, they do nothing.
  • A public blacklist would work if you have enough contributors that you can verify that many of them, including some trusted contributors, feel that the IP in question should be blacklisted. If you can have a reasonable belief that the majority of data on the system is valid, then the blacklist will be more-or-less effective.

    For example, how many people have been framed in such a manner onto the RBL? Sure, there are plenty of cases of people who feel that they shouldn't be on the RBL because they weren't really spamming. But how often do several people conspire to accuse an IP of being a spammer or an unsecured relay just to get back at that IP? Not too often, I imagine.

    Just like any online collaboration, from the RBL to online gaming matchups to /., you can gauge the reliability of the community's input based on a trust rating that you assign to contributors based on their past performance.

  • by Phoz ( 241367 ) on Monday November 27, 2000 @11:53AM (#597988)
    Am I the only one concerned by this?

    A few issues comes to mind:

    Forged logs
    It's very trivial to fake logs to make it appear
    that a attack originated from a specific source.

    Innocent traffic
    I can't count the times I've been wrongly accused of
    "port hunting" after looking for a service on a friends box.
    Even a single ping can sometimes trigger a sites IDS
    and mark my IP as a threath.

    This may be a good idea, but without at least
    some background checking and auditing
    of submitted logs, I wouldn't trust it one bit.
  • They're looking for copies of "wingate" which are a popular proxy on private systems and which keep having new holes discovered.

  • The summary said that ZoneAlarm logs can be posted. What about BlackICE Defender?
  • by Ralph Wiggam ( 22354 ) on Monday November 27, 2000 @12:32PM (#597994) Homepage
    Personal firewalls are an obvious evolution from mainstream virus protection software. How much money has AV software made? I would guess somewhere in the hundreds of millions. How many viruses are really out there in the wild? A few dozen, tops. The only two that have caused real damage in the past few years have been email script viruses that AV packages didn't catch. So now everyone owns at least one AV package and those big companies need to make more money. So they make people think that evil "hackers" are out there trying to steal your financial records and the pictures of your nephew and that super 31337 Budweiser frogs screensaver you have. Sold. My defense to such things is to just have an uninteresting life and very little money. That will stop them every time.

    -B
  • http://dshield.org

    Sorry, had to take the site temporarily down due to high traffic. Please try again tomorrow

    ummm.... yeah...

  • Indeed, slashdotting a site is a direct DOS attack, and slashdot should start taking some responsibility for causing so many sites to go offline due to the spontaneous bandwidth increase of the slashdot effect. IMO, every site linked by slashdot should be given the right to deny such a link, and if the site accepts the link, should be offered time to get a mirror up or increase bandwidth. Without such a warning, linking to a small-medium business or personal homepage is the equivalent of tossing a rabbit into a cage of hungry lions and not feeling responsible for the rabbit's instant death.
  • I used to report any sort of scans to my network to CERT/SANS, but at some point there were just too many 'attacks' to keep track of. Any reports sent to the administrator(s) of the domain/IP usually resulted in either no response or "we'll look into it".

    The sites I worked at got portscanned at least twice a day, usually from a cable modem user running Redhat Linux (easily found out by telnetting back to their IP, which has almost every service still enabled). These are script kiddies, and really I don't think I should waste time on someone who downloaded nmap.

    A smart cracker won't blindly portscan your machine, because that pretty much gives him (and his skill) away. I think portscans are a fact of life. The ones to worry about are the quiet crackers, who only give away few signs that they are attempting an attack.

    What is more interesting to me is the signature of attacks. I don't think analysis of this sort can be done by looking at an IP, as you may see a pattern in your firewall logs that involve many IPs or spans many days. The trick is putting all of the information together in some sort of analytical way to determine if it is a threat or not.

  • by Lostman ( 172654 ) on Monday November 27, 2000 @11:03AM (#597999)
    Now, this might strike ONLY me as strange but the service are relying on users to send in their logs?

    The reason this upsets me (at least SLIGHTLY) is that logs can ALWAYS be faked. That, and get a few different users around the country to send in "altered" logs and some poor @home guy could be out of his account.

    Is there anyway to make sure that this will not happen?
  • Great... this information could be used to tune one's own firewall to block (unwanted and nosy) portscans from @Home and RoadRunner...

    Charter cable here hasn't started doing that (yet), but if I were an @Home/RR customer, that's exactly what I'd do... 'cause you *know* what would happen if we tried to pr0tsc@n them.
  • by Phaid ( 938 ) on Monday November 27, 2000 @11:04AM (#598004) Homepage
    From the page:

    27/Nov/2000 16:00
    Current Most Active
    Attacking IP: 24.0.94.130


    Then...

    nslookup 24.0.94.130
    Server: localhost
    Address: 127.0.0.1

    Name: authorized-scan.security.home.net
    Address: 24.0.94.130


    Ohh yeah, this is useful information :)
  • It most certainly could.
  • by wowbagger ( 69688 ) on Monday November 27, 2000 @05:41PM (#598008) Homepage Journal
    Hey, I never said a valid e-mail address was a perfect defense against forged data. However, I'd hope they would a) consider any @hotmail.com, @altavista.com, or @yahoo.com address with less trust than a more verifiable address, and b) require several confirming reports, from several IP addresses (even several IP address blocks), before they really got mediaval on them.

    As for the comment about my suggested solution being "a bit extreme": no. A bit extreme would involve molten lead, a funnel, and the services of a proctologist.

    That would only be a bit extreme.
  • Ohh yeah, this is useful information :)

    Except, who authorized it? Did the people it was scanning authorize it? It probably has a (mostly) innocent purpose, but the machine's name doesn't necessairly mean anything :)

    Personally, I think that it's still useful information to know, say, if you don't want home.net scanning your box.
  • by Anonymous Coward
    I can count the number of times I've been accused... 0. I don't just ping em, I nmap em. I've sat back and just nmaped bunches of sites just to see what they have open. Hell I almost had an account at comfedbank.com until I nmapped there web server and saw they were running telnet. Damn straight I'll nmap a banks web server, it's my business to know what kind of security a bank is going to have in place.
  • ...seems they are called Euclidian Consulting [euclidian.com], and offer such services as, hmm, this is odd, the DNS for this site is dns.homepc.org, and oh, wait, that's registered to the same personas euclidian! hmmm, that coupled with the @home port scans being #1 on this list leads to the conclusion, all this is being run out of someone's basement, using an @home connection. Wow, and here I was waiting to save up enough money to buy a real "business" network, but heck, I can just use my cable connection to run my soon to IPO thingy...

    Going on means going far
    Going far means returning
  • by Y2K is bogus ( 7647 ) on Monday November 27, 2000 @12:14PM (#598015)
    #!/usr/bin/perl

    # Linux DShield Client. V 0.0.2
    #
    # This script will extract relevant lines form the log file and
    # send them to 'report@dshield.org'.
    #
    # It should run from cron regularly to look for new entries. See
    # 'parameters' for more details.
    #
    # Parameters:
    #
    $userid="0"; # replace with your userid if you have one.
    $email="none"; # replace with your e-mail address.
    $to='report@dshield.org'; # send log to this address. Change for testing.
    $local_log='/tmp/dshield.log'; # keep a local copy here for revie

    $filter="input DENY"; # we only care for lines that contain this line.
    $state="/var/tmp/dshield"; # file that is used to store length of log file.
    $logfile="/var/log/messages"; # location of log file.

    # setup a halfway safe /tmp file
    srand(time);
    $tmp="/tmp/dshield".$$.rand(1000);

    $last_count=0;

    #
    # the 'state' file contains the length of the log file
    # in lines the last time the script ran.
    #

    if ( -e $state ) {
    $last_count=`cat $state`;
    chmod $last_count;
    }

    #
    # get the current length of the logfile
    #

    $length=`wc -l $logfile | sed 's/[^0-9]//g'`;
    chomp $length;

    #
    # if the log file size 'shrank', we assume that the entire file
    # is relevant. This will not catch log rotations where the
    # log file grows rapidly.
    #

    $last_count=0 if ($length<$last_count);

    $count=$length-$last_count;

    #
    # remove stale tmp files. This should never happen, as
    # the temp file name is generated randomly
    if (-s $tmp) {
    system ("rm $tmp");
    }

    #
    # this line 'does the work' of extracting relevant lines
    #

    system("tail -$count $logfile | grep '$filter' > $tmp");

    # send the file. Only bother if there is something to
    # report.

    if ( -s $tmp) {
    open (MAIL,"| /usr/sbin/sendmail -t -oi");
    print MAIL "To: $to\n";
    print MAIL "From: $email\n";
    print MAIL "Subject: FORMAT LINUX USERID $userid\n\n";
    print MAIL `cat $tmp`;
    close MAIL;
    if ($local) {
    open (MAIL,"> $local");
    print MAIL "To: $to\n";
    print MAIL "From: $email\n";
    print MAIL "Subject: FORMAT LINUX USERID $userid\n\n";
    print MAIL `cat $tmp`;
    close MAIL;
    }
    }

    #
    # cleanup the temp file and write a new state file
    #

    system ("rm $tmp");
    system ("echo $length > $state");

  • by sckeener ( 137243 ) on Monday November 27, 2000 @12:47PM (#598016)
    I have a suggestion for a poll. (yes, I know this isn't the correct place to submit this, but this article inspired it.)

    Have you ever submitted an article about a company you hate just to create a /. effect?

    Yes, I'm satan spawn.
    No, I'm a virgin or
    No, I was with CowboyNeal at a gay bar.

    I like to read the articles before posting. Unfortunately it's something I rarely get to do because of the herd affect of /.

    got to love /. !!

  • Heck no. Firstly, if they're actually trying to make lists of times/dates/IP's that the kiddies are scanning, then Cool! They should keep their database private for sure, but unless you run the ISP, you won't know WHO is on which IP. Personally, I'd LOVE to see some people getting fined for portscanning. A couple of grand per incident. Don't think so? Picture this. I walk through your neighborhood, and stop at each house trying to open doors and windows. Occasionally, I may use a special tool to open a door or window. If I'm doing that to your house, damn right you're going to want me arrested. Same situation, period!
  • Yeah, I have the same sense that giving out this information somehow creates a security risk as well, especially if it involves me sending logs of anything automatically... but I think this kind of thinking is mostly a desire for security through obscurity, i.e. the less "they" know, the less they will be able to crack my system. The best check would be to examine the output by hand for a while before sending it in and making sure that it seems like valid and useful information. I'm more concerned that if they accept anonymous or lightly IDed reporting that they will be spoofed or spammed in short order, which makes the information suspect.
  • scanner=[ip for @home scanner computers];
    ipaddress=[YOUR IP HERE];

    ipchains -s $scanner -p tcp -d $ipaddress 4000:6000 -j DENY

    Wouldn't that do the trick? (assuming you have a Linux firewall) Better yet, put the -l (log) tag at the end, so if you DO decide to sue, you at least can prove the "hack attempts" made against your machine...

    cat /var/log/messages > /dev/lp0

    I have a Pacific Bell static DSL and while the servers they provide crash constantly, making me use my firewall box for most of my services, (DNS, E-mail, etc) I've had NO TROUBLE AT ALL with stuff like this. They really and truly DON'T SEEM TO CARE what I do! (and if they did, they'd lose my business in a flat second because their services are so horrible)

    (But don't bother trying to call them with a problem - hold times > 2 hours!)

    Like most, I get attacks daily - Netbios 139 being the most frequent, it seems. Since I started dropping ALL icmp packets to/from my public interface, port scans have all but ceased.

    -Ben
  • Hmm. Actually, looking again, there's a much more serious reason I'd call it a crappy Perl script.

    $userid="0";
    srand(time);
    $tmp="/tmp/dshield".$$.rand(1000); if (-s $tmp) {
    sy stem (rm $tmp");
    }
    system("tail -$count $logfile | grep '$filter' > $tmp");

    So...in other words, while running as root, it picks a filename based solely on its PID (easy to guess) and the current time (easy to guess, especially since they recommend running it from cron at scheduled times). They remove this file but then tail into it blindly...if you are quick about it (inbetween the remove and tail), you can create a symlink there and get root to overwrite any file on the system. Bugtraq advisories are regularly issued about this type of thing.

    They also give you a false sense of security in that there is a place to fill out a userid, but it does not use it for anything but the subject of an email. So it always runs as root, though if you quickly configured it you might think otherwise.

  • by Sticky Toejam ( 163390 ) on Monday November 27, 2000 @01:00PM (#598032)
    Map their printer and print out:

    YOU SCAN ME ONE MORE TIME AND I'LL COME TO YOUR HOUSE, RIP OUT YOUR CPU, AND SHOVE IT DOWN YOUR DOG'S THROAT

    Or something similar. If your real lucky you'll see the results on their webcam. :-)

  • I definitely agree that every firewall should include directions to drop packets that appear to be from "outside" that have addresses in the 10.x.x.x range, as well as the other ranges. That's a big part of what these addresses are for, assisting in clearly demarcating between internal addresses and external addresses. And the RFC, if my recollection is correct, suggests that internet routers drop such packets. So while they shouldn't be getting through, they might due to someone else being negligent. If these do show up in your incoming traffic, it sounds like something to take to people upstream-- since they aren't supposed to be forwarding that stuff, since it's either there by accident, or is a deliberate spoof. But in the case of this particular DB, I think it has more to do with the source of the seed data.
  • by Ergo2000 ( 203269 ) on Monday November 27, 2000 @11:09AM (#598037) Homepage

    One thing I noticed on the top 10 "Most Wanted" is 24.0.94.130 and 24.0.0.203 : Both of these are official @Home scanner IPs that they use to scan subscribers PCs (i.e. only people in the @Home network should be scanned by these addresses). 24.0.0.203 usually is used to scan for NNTP servers (I get scanned every two hours pretty much to the minute) which was put into place after the big Usenet threats against @Home. 24.0.94.130 scans clients for most known trojans and backdoors. If they find either they, as far as I have heard, shut down your connection until you fix it and contact them when they'll recheck to verify. Great service to avoid people being their worst enemy.

    As a sidenote I previously disagreed with someone regarding whether there is a lot of NetBIOS traffic on @Home. At the time I claimed that I didn't get scanned for NetBIOS traffic. Turns out that it was the region I was in previously (Rogers@Home) where they filter out all NetBIOS traffic. Now that I'm in a different region (Cogeco@Home) I find that I'm getting NetBIOS scanned all the time. Out of curiousity occassionally I'll do a \\IP.IP.IP.IP back and find someone sharing their C, D, etc. drives. I don't know if it's an owned machine, or someone with a honeypot, but it's pretty funny nonetheless.

  • They forgot one letter, the letter p. Namely, they forgot to make the MySQL connections persistent.

    Instead of mysql_connect(), they should've used mysql_pconnect().

    --

Take an astronaut to launch.

Working...