Slashdot Mirror

I ran a tarpit under OpenBSD at a large university to protect our subnet. Hardly any department's subnet was protected--fair game to any outside crackers/scanners (or inside zombies). We put LaBrea tarpit on the first (x.x.x.1) address so all scanners got tripped up at our very first address, for hours or sometimes days at a time!

Want to automatically report the offending IP addresses to their ISPs? Check out DShield and and their free FightBack program where they notify the ISPs--not you. See some FightBack results.

There are scripts and clients to report the intrusion logs collected from dozens of IDSs, firewalls, routers and log utilities (e.g. Snort, Linksys routers, IPCHAINS, LaBrea). DShield has Linux and UNIX Client Scripts, as well as Windows Clients.

If the script kiddie/scanners are automatically trying to break in, why not automate the abuse reporting, too? Even if the scanner is a cracked zombie, at least they could be notified--could lead to them securing their machine(s).

I ran a tarpit under OpenBSD at a large university to protect our subnet. Hardly any department's subnet was protected--fair game to any outside crackers/scanners (or inside zombies). We put LaBrea tarpit on the first (x.x.x.1) address so all scanners got tripped up at our very first address, for hours or sometimes days at a time!

Want to automatically report the offending IP addresses to their ISPs? Check out DShield and and their free FightBack program where they notify the ISPs--not you. See some FightBack results.

There are scripts and clients to report the intrusion logs collected from dozens of IDSs, firewalls, routers and log utilities (e.g. Snort, Linksys routers, IPCHAINS, LaBrea). DShield has Linux and UNIX Client Scripts, as well as Windows Clients.

If the script kiddie/scanners are automatically trying to break in, why not automate the abuse reporting, too? Even if the scanner is a cracked zombie, at least they could be notified--could lead to them securing their machine(s).

I ran a tarpit under OpenBSD at a large university to protect our subnet. Hardly any department's subnet was protected--fair game to any outside crackers/scanners (or inside zombies). We put LaBrea tarpit on the first (x.x.x.1) address so all scanners got tripped up at our very first address, for hours or sometimes days at a time!

Want to automatically report the offending IP addresses to their ISPs? Check out DShield and and their free FightBack program where they notify the ISPs--not you. See some FightBack results.

There are scripts and clients to report the intrusion logs collected from dozens of IDSs, firewalls, routers and log utilities (e.g. Snort, Linksys routers, IPCHAINS, LaBrea). DShield has Linux and UNIX Client Scripts, as well as Windows Clients.

If the script kiddie/scanners are automatically trying to break in, why not automate the abuse reporting, too? Even if the scanner is a cracked zombie, at least they could be notified--could lead to them securing their machine(s).

I ran a tarpit under OpenBSD at a large university to protect our subnet. Hardly any department's subnet was protected--fair game to any outside crackers/scanners (or inside zombies). We put LaBrea tarpit on the first (x.x.x.1) address so all scanners got tripped up at our very first address, for hours or sometimes days at a time!

Want to automatically report the offending IP addresses to their ISPs? Check out DShield and and their free FightBack program where they notify the ISPs--not you. See some FightBack results.

There are scripts and clients to report the intrusion logs collected from dozens of IDSs, firewalls, routers and log utilities (e.g. Snort, Linksys routers, IPCHAINS, LaBrea). DShield has Linux and UNIX Client Scripts, as well as Windows Clients.

If the script kiddie/scanners are automatically trying to break in, why not automate the abuse reporting, too? Even if the scanner is a cracked zombie, at least they could be notified--could lead to them securing their machine(s).

Become part of the Distributed Intrusion Detection System

DShield

Join DShield and keep a good general set of firewall rules, e.g. blocking SSH from any but a few select adresses or netblocks. DSHield will send out emails to ISP's with condensed reports on the worst offenders. That system has been labouring a bit recently, so consider a donation while you are at it.

(Plus, the dshield mailing list is right now talking about using all that data to setup a DNS blacklist).

Second, this has been done with worms (not trojans, as in the article) for years, courtesy of DShield. They provide a recommended blacklist of the top 20 attacking IPs.

Second, this has been done with worms (not trojans, as in the article) for years, courtesy of DShield. They provide a recommended blacklist of the top 20 attacking IPs.

I wonder if they exchange data with
DShield.org or the Internet Storm Center (isc.sans.org). These two sites are my primary sources for information like that, and of course serve as "sinks" for all my firewall logs.

..and how is this any better than, or as good as
dshield.org??

...consisting of multiple infringement reports, else I can't figure why the FBI would be wasting their time.

It's probable that a number of computers on the school's network were compromised and are running 'host' servers via IRC, BitTorrent, etc.

It's much more common these days to get slammed for uploading files, instead of just downloading and possessing "copyright infringing material" unless there's intent to distribute.

I haven't started searching yet, but I'm curious to see if any IPs in the school districts' ranges show up. :)

I don't know about that. Popup's made me block most ad's. :)
you can see the warning here

Well, look at the site and see for yourself. :)

People return logs from their routers, there are clients for most system where you send back the list of denied packets. And they do record when the attacks took place. Example..
But the main focus for the single user is that it sends back daily reports of denied activity against your routers, such as port scanners.
They do have a block list, which is rather short and only contains the worst current offenders over the last 3 days. They are not anal about it like SPEWS.

Well, look at the site and see for yourself. :)

People return logs from their routers, there are clients for most system where you send back the list of denied packets. And they do record when the attacks took place. Example..
But the main focus for the single user is that it sends back daily reports of denied activity against your routers, such as port scanners.
They do have a block list, which is rather short and only contains the worst current offenders over the last 3 days. They are not anal about it like SPEWS.

Although not quite what you wanted dshield has a page where you can see if your machine has been reported as scanning others.
They also has a banner you can add to your site that shows a warning if the viewers ip is in the list. But if fear that people will ignore that and mistake if for the "Warning, your machine is broadcasting an IP..." ad. that used to run.
also check out mynetwatchman

I questioned the 50,000 to 75,000 number as it seemed totally bogus and unrelated to the number of source IPs I'm seeing scanning my two class Cs. How can I see 10-15 different source IPs every 5-10 minutes if only 50,000 computers are infected worldwide?

ISC and dshield are showing the number of sources scanning port 3127 building up at an alarming rate. The number of sources seems to be increasing by about 2000 every 10 minutes, which is much more in line with the number of sources I'm seeing scanning my backwater.

Dshield also performs a similar service. Between it and mynetwatchman, they do seem to perform a valid service. With the fast-acting worms, they may not be able to do anything on new worms before it is too late, but they are in an excellent position to track trends and they are going to see some of the preliminary scans that go on as someone is testing an early exploit.

I'm waiting for the time that data from those two sources is actually used to track down someone who releases an exploit. I really think it is only a matter of time.

Not flaming here, but you may be comparing apples to oranges. You are complaining that /. reports every active Microsoft worm while it is out there, actively infecting multiple computers, but does not report every vulnerability affecting Linux machines. Slashdot doesn't tend to report new vulnerabilities affecting Windows, unless it comes as something spectacular, such as 6 high risk holes announced at once.

If you're reading security sites, then you're "doing it right", and that's what you need to focus on. You. I run Jay's IPTables Firewall. I occasionally check LinuxSecurity, but instead I usually visit their Packetstorm mirror and try out some of the latest exploits against my various machines just to see if I'm vulnerable. I also check CERT weekly, NIPC's Cybernotes biweekly, D-Shield and Incidents.org biweekly, and update Nessus and check my firewall biweekly. I don't have any open ports, so I rarely check for updated Snort rules. I do check my MRTG reports about once a day to see if an inordinately high amount of traffic is flowing through my firewall. There's so much that everyone should do all the time, that there's hardly enough time to complain about how much focus a web site places on reporting one OS'es actively exploited holes vs another OS'es potential vulnerabilities. In the time to read this, you could have been reviewing the Top 75 security tools and seeing where they fit in your environment, even if your environment is your house.

Sure it all looks like a time saving worm for all the admins out there, but what it does is very, very bad for the avarage security on the internet (a figure that has to be around 0,3 already no mather what scale you want to measure it by).

Like all worms that scan all posible hosts randomly instead of simply attacking host known to be vulnarable blaster is advertising vulnarable hosts to the world. A worm could prevent this by checking make and version of the e-mail clients used to send mail in the mailboxes of an infected hosts and reply to vulnarable ones instead of every host in the adres book. Also for webservers the type of webserver serving the pages read during normal browsing of an infected client could be abused to find vulnarable server. By attacking only hosts very likely to be vulnarable a worm will not only stay undetected for much longer (it wont apear hundreds of times in firewall logs or d-shield), it will also stop vigilante internet users (or their worms) stoping infected host by going after their infececting attempts. (providing the worm is undetected, OR very few vigilante net users are running vulnarable systems)

By scanning randomly, infected hosts are advertising their vulnarability to the world. Combine this with recent worms (nimbda and blaster) which opened backdoors for easy entrance, and infected hosts with a fast connection "broadcasting" faster and thus to more hosts is a recipy for attracting script kidies looking for easy targets for DDoS drones, bounce servers or warez servers.

If an admin where to kick blaster out of a machine taken by a script kidie after a worm the extra backdoors, DDoS tools or warez might get noticed and cleaned out, not with this worm! This worm stops and deletes blaster.exe (while leaving the startup registry key, which just might mean everyone could put a blaster.exe in the path for local privelege escalation). If this new worm where to desinfect a host it might leave a perfectly secure unattented DDoS node on the net becouse no admin noticed something being wrong. ("system rebooted 2 or 3 times, doing fine now, continue playing minesweeper"), this is bad couse no mather how good your OS security is, defending against DDoS is tough, especially from these unatented windows systems. If things where really bad you could crack these zombies to get the DDoS clients out, but this worm just might close the last entrance for that.

I was *just* surfing D-Shield and was reading a notice about a captured worm. Sure enough, as soon as this article appeared.. the site is DOWN.. that really is something to see, even I get shocked every now and again.

snort is great. the one thing thats a pain to setup is to have it report to dshield for aggregation. I wish it would come with a plugin for that.

And once you get your firewall up and running, join DShield and it's mailing list to discuss security topics.

A few of my favorite examples are:

• MyNetWatchman, firewall incident reporting service. Helps to defray spam by finding and reporting compromised hosts internet-wide.
• SpamCon Legal Fund, to help them further the cause.
• TMDA, The GPL spamfilter that actually delivers on the zero spam, zero fasle positive promise.
• SpamHaus, who does a great job keeping lists of both servers and spammers, and is very dedicated
• Your Local Food Bank. courtesy of abuse.net who says: "If you feel that abuse.net has been useful to you, please make a contribution to your local food bank, which needs money a lot more than we ever will. Thanks."
• Distributed Intrusion Detection System, another firewall aggregator, maybe the biggest, free to all

Well, as pointed out earlier, since you posted this on Slashdot, you are not a "closet sysadmin". Colaboration is important. Think about joining a group like DShield ;-) .

It's still happening right now! Hilarious ad from MSFT, I wouldn't be surprised if it was actually an Onion pardody though. =) I guess it being from MSFT makes it even more hilarious.

well, if you don't want to pay $50k for some 'virtual' advanced warning, sign up with DShield and get it all for free.Just den them your logs and they will do the same thing Symantec does for you.

If you don't have the $100k to sign up for
Symantec, check out DShield.org and The Internet Storm Center to get it all for free, including the pretty pictures for the boss.

I like the part about cooperation. Hackers do it for years successfully, while network administrators prefer to sit in their closets under tin-foil hats hoping to preotect themself with obscurity.

Systems to share already exist. Just check the "Internet Storm Center" and DShield for a place to exchange logs and ideas.

Perhaps, instead of trying to complicate our lives with Yet Another New Protocol, you could simply come up with and IDS concatonation system, that puts together 'lists' of known DDOS sources at the current moment, and put it into a BGP feed... What a concept! Taking 2 technolgies that are known to work, and available to ANYONE that does BGP on the internet, and making it work!

This kind of reminds me of DShield. And I think you're right, if we could automate such an internet-wide distribute of potential DDoS participant hosts then when an attack begins, the victim could invoke "the blacklist" and hopefully cut out a big chunk of the sources.

To all those who will no doubt post "see, CodeRed can happen to Linux, too" - here is some enlightenment:

There are currently an estimated 10,000 hosts infected with Slapper (any variant).

According to DShield's CodeRed history page, around 25,000 windos hosts are still estimated as CodeRed infected, one year after the event.
According to news.com, at the peak we had over 350,000 infected machines.

10,000 is about 2% of 350,000. No, Slapper is in not even comparable to CodeRed when it comes to spread, neither speed nor coverage.

It does, however, proof two things:

a) The Linux world is susceptible to the same generic diseases
b) For various reasons (more variety, better sysadmins, better security in general), it coped much better with an actual outbreak.

You can get a current list of the top C networks which are participating in attacks of various sorts from dshield.org. Depending on your application, it may be advantageous to just add a cron job which grabs this and feeds it to your firewall rules, hosts.deny or access control lists.

DShield's Code Red Anniversary Page has an interesting graph showing scanning activity they've detected from active hosts since the beginning of this year. Some 35,000 IPs still continue to regularly come alive around the beginning of the month, quiet down towards the middle, and then resume the cycle again - the numbers have remained remarkably consistent.

Of course, while these attacks are geared toward M$, they are attacking my *BSD machine. Perhaps due to so many Linux and/or *BSD machines reporting attacks to DShild and others, all of these M$ attacks are being counted against the non-M$ community.

I had three attacks after Goobles released the Apache exploit. (Well, actually one attack and two scans of my "powered by" page since I had upgraded after the first attack.)

I used to get quite a few SSH attempts, but since blocking most CN domains at the firewall after them (and sadmind worm attempts), they've pretty much disappeared.

The second most prevelant "attack" to CodeRed is formmail.pl scans. When is AOL going to put a sting on the collector at f2@aol.com?

They seem to want a NIDS that somehow magically knows about the systems and services on their network and ignores all attempted attacks that aren't against vulnerable systems. This is like ignoring all attempts at burglery that fail to get inside the door, giving a pass to all the burglers who case your company, or don't have the right tool to defeat the specific lock you use. Yet.

The better attitude is to report all these ineffectual attacks to the likes of Dshield, and help clean up the neighborhood.

I've been noticing a more-than-usual amount of probes to port 1433 on my firewall during the past couple of days, although it seems to have really spiked up since last night. DShield seems to prove this, as their "movie" demonstrates.

DShield currently employs as little filtering of incoming reports as possible. Most reports are sent anonymously. We do not know if these logs are truthful, or if the firewall configuration was correct. DShield.org will attempt to protect the identity of the submitter. If you have a question regarding a specific target or source IP, please send an e-mail to info@dshield.org.

I'm not sure about the rest of the world, but just viewing my IDS logs for today, Nimda and Code Red are the two biggest problems hitting my network. We get about 800 attempts a day on our firewall from machines that are still infected by those two. I tried helping out the sites infected by attempting to let their admins know their servers were infected but I soon found that roughly 1/3 of my day was spent trying to contact an admin, most of which didn't know how to fix it or didn't care. Now I don't bother unless it's something like what happened two weeks ago where I was hit every three minutes with Code Red attempts for over 48 hours from the same host thereby causing my log files to grow to 180 MB and pissing me off in the process. Contacting their ISP (which is my ISP as well) was a joke. I just got an e-mail from their support this morning asking me to send the log files in an e-mail instead of an attachment because they apparently have problems opening a .txt file. It went away after about a week. Checking the dshield.org website showed that the IP in question was apparently affecting a lot of other sites as well. Anyway, as far as I'm concerned, Nimda and Code Red are still a huge problem.

So far, DShield does not have too much scanning for it yet (data).
But I guess the kiddies are still sharpening the tools...

So far, DShield does not have too much scanning for it yet (data).
But I guess the kiddies are still sharpening the tools...

DShield.org... fight back

and DShield.org for very large scale correlation.

no. snort isn't all that hard to setup. But the rule tweaking can be a pain. On the other hand, some of the other systems don't allow any tweaking. And snort is supported by DShield ;-)

DShield.org and SANS Incidents are a couple sites that come to mind.

STRENGTH IN DIVERSITY!

Linux runs on more architechtures than any other OS. Granted most folks run on an x86 but my box that faces the world is a ppc. Obviosly binaries compiled for the masses won't get too far on my server. And no worm coder in their right mind would compile the binaries for ppc linux thanks to the N^2 problem. If you run linux on a SGI Octane, Indy, Indigo; Sun Sparc, UltraSparc, 3/60; Mac G3/G4/PPC, se/30, 68040; DEC Alpha, cisco 2501, IBM zSeries whatever you are helping to thwart the threat of a linux worm.

Something else you can do is run Labrea . I just started playing with it and it's the coolest white hat security program I've seen. Not only will it slow the spead of any worm that scans subnets, but it will also mess with any script kiddies scanning you IP blocks. Take a look at it especially if lots of folks in you shop run II$.

Finally an ISP that has their act together. This Nimda/Code Red and such business is getting out of hand. Just check how many machines it hit worldwide. However, it would be nice to hear more from Microsoft instead of just have them release patches that don't work.

Heres what I was just about to submit:

LaBrea - The Tarpit: Keep your friends close, your enemies closer.
- -
With the recent proliferation in worms (Code Red, Sircam, Nimda, etc) beyond either switching to a more secure? webserver or keeping up to date with the patches for your own and hoping that others do the same; approaches to actively dealing the problem have been limited. One can try to either contact the administrator[s] of the machines infected or take a slight more risky proactive approach. 'LaBrea' - The Tarpit offers proof of concept? for an interesting open source approach.
Linux today, Wired and Linuxsecurity have covered this developing project, more information is available from Hackbusters here, here, here, here, here, or here.
- -
Im off to sulk. :)

Dshield is a system that centralises collection of individuals' firewall logs. Personally, I don't think this approach is of much value, but of course YMMV.

Honestly, if we can keep PacMan, Ms. PacMan, PacMan Jr., PacLand, and SuperPacMan distinct, why not the Code Red names?
hmmm, that reminds me. I have to go visit The Red Pacman Menace sight.

grep 'default.ida' access_log | mail -s 'APACHE' redalert@dshield.org

They use this information to notify the owners of the machines of the infection and to track the progression of the worm.