Slashdot Mirror
Collecting Logs from Firewalls to Detect Crackers
Anonymous Coward writes "There is now a site dshield.org which collects firewall log excerpts to summarize and organize them
in a database.
The point is to single out script kiddies that scan large IP segments.
It could all end up saving ISPs a lot of time running after / responding to gazillions of reports from users.
Interesting: Right now, IPs used by @Home and RoadRunner to scan their users top the list. The site is only up for a couple of days. but already quite a bid of data has been collected. There is a little perl script that will automatically send Linux kernel log excerpts (ipchains style) to the sytem. ZoneAlarm logs can be processed as well."
could be a useful site if the php didn't keep breaking.
There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie -Noel Godin
I see a lot of netbios attacks... (139) and a lot of broadcasts to port 137. These are often windoze users who haven't wised up and are allowing their machines with file sharing do "network neighborhood" brodcasts looking for other machines...presumably on the same network. I even see broadcasts with destination addresses other than mine, but they're within the same subnet mask. I have to use some windoze stuff for my job, unfortunately, but I make sure that I filter those ports out both for ingress/egress. Since sometimes co-workers will drop by and just "plug in" to my network to be online, my filters protect them as well, even if they haven't turned off windoze file/print sharing.
...If it happens, it must be possible!
The /. effect in action,
Just went to the site and got;
"Sorry, had to take the site temporarily down due to high traffic. Please try again tomorrow"
a guy i know, ok hes a prof of mine, set up his firewall so that if he was scaned, he would do a really nasty saint scan against the scannner.
he had to stop when he got nasty phonecalls from @home asking why their machine would crash whenever they scaned his ip.
making some @home guy lose his account..
.02
sure! If @home even gave a shit about what their users do. I tried to report an @home user this summer for flooding my poor 56k connection and they ignored me. My ISP wouldn't give me a static IP to block it at the router, so I was basically screwed.
doing something like this really doesn't help anyone. The ISP's have to cooperate (on both ends) and they normally don't care to.
I wish that people would stop being gay and just use the net for what they should.
That is just my worthless
Good point about spoofing; though because I spoke with @Home about it, and they stated that they did it, I would lean toward the DNS server being the culprit. All I can really do is to try to decode a packet and see if it shares the same MAC address as the router (not on same subnet as DNS server). If the same, I can't rule it out, if different, you are dead right.
"Don't mind me cutting myself on Occam's Razor"
Along with the IP of the offender the time is also logged -- granted, this means that you have to keep your clock in sync on your firewall. Using the IP and the time it occured it should be relatively easy for the ISP to hunt down whoever was using that IP at the given time.
Justin Buist
You are right, was smoking crack when I said ACK. I haven't decoded a rogue packet yet, anyways. Though I was under the impression all a port scan did was send SYN packets out and wait for a SYN/ACK; it didn't bother with looking for the RST or trying to complete the 3-way handshake. If a SYN/ACK is received you got an open port, if not, you move on.
Thanks for the correction!
"Don't mind me cutting myself on Occam's Razor"
But what's 2048 used for? A Trojan?
No problem! Though "trying on 53" comment lost me; what do you mean?
"Don't mind me cutting myself on Occam's Razor"
It seems obvious, but I've talked to folks who were proudly saying that they were implementing honeypots on their production networks to make sure that they caught the kiddies.....great....yeah, let's just invite the kiddies right into your private network...that's a great idea. Remember folks, honeypots are fun...but only if there's absolutely no way that an attacker who gets in to the honeypot can do any *real* damage.
The reason you are you get so much NETBIOS traffic has nothing to do with being scanned.
When you enable a Windows machine to share resources it needs to decide what machine on the network is the master browser (A machine that contains a table of all of the NETBIOS machines on the network).
When the machine starts it sends out some packets to decide who the master browser is. If nobody replies or if the present master browser is of a lower OS level than your machine, it will start an election to determine who the new master browser is.
I am an @home subscriber in Calgary (shaw @home). I get this stuff bouncing off of my firewall all the time.
Note: Please don't moderate as Funny. Yeah I know, it's rediculous but its' also how Windows OSs actually do this.
Gee, these are the people who are worried about people scanning them, so they send their logs about the scan to a site that doesn't even have enough money to withstand the slashdot effect? Can you say stooooooooopid?
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
What good does this do, exactly? So I guess @home and RR are always going to be at the top, since they constantly scan their customers. This will also put many IRC servers in the list, as they tend to scan for compromised machines. I honestly do not see how a scan from some kid who just downloaded his first copy of Back Orifice is a concern to me. If they were actually able to differentiate between actual attempted attacks and actual port scans, then I could see this being worth something.
wolf31o2 Developer, Gentoo Linux Games Team
This is unfortunately going to become completely useless really fast, unless the people running the site take some active measures.
At first glance, of the top 10 reported "attackers", one was an authorized security scan from home.com, two were 10.x.x.x addresses, and one was a 169.254 Windows AutoIP non-routeable address (and no doubt the port that address was "attacking" was UDP port 53).
When all the world's cable modem users are encouraged to buy these "personal firewalls" which do nothing but trigger false alarms to show how "useful" they are, sites like this can't help but be drowned in a sea of noise.
better yet, once you have identified one of the bastards, nail'em with a ddos! sweet justice...
I understand the advantages of having a collection of data collected by your firewall in a centralized location but wouldn't this also permit computer criminals to see which attacks do not go unnoticed. Besides shouldn't an admin take responsibility and do log analysis themselves. I mean on large-scale networks it is totally impractical but still. One can't rely totally on these measures. :D
.--bagel--.---------------.
| aim: | bagel is back |
| icq: | 158450 |
( o ) one could say I'm rather baked
yeah, what you really need are multiple accounts. then your mod points can really be put to good use.
Someone moderate up that A/C... I would if I could (but of course I can't).
:-)
That is a valid flaw in my reasoning. Fortunately, DDOS is not extermely easy (or else you'd see most of the net down weekly) right now. Unfortunately, with the vast proliferation of vapid sysadmins and closed source NOSs I think DDOS is going to become a major problem for ALL kinds of services on the 'net (not just the loss of service, but the permanent vandalism or destruction of service that can happen with faulty database information).
Sorry, its late and I can't come up with a decent solution to this problem today. Maybe later...
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Don't have a Linux firewall (YET), but wouldn't
ipchains -s $scanner -p tcp -d $ipaddress ALL -j DENY
ipchains -s $scanner -p tcp -d $ipaddress 53 -j ALLOW
be a more elegant solution? (assuming you can block everything off, except port 53, and that the rules regarding precidence allow it) While I had originally stated that only 4000-6000 were hit, trust me; I got scans on top of scans of top of scans.
Admittedly, my ipchains experience is very fictional; though with DrawBridge for the secure BSD (Open? Free? I forget) you could do that.
"Don't mind me cutting myself on Occam's Razor"
ZoneAlarm rocks!!
pi=sigma{n:0-infinity}[(1/16)^n][(4/(8n+1))-(2/(8n +4))-(1/ (8n+5))-(1/(8n+6))]
True, but I really doubt that many sites think, "Hmm, I'm probably going to be /.ed pretty soon, I better add some protection into my httpd.conf". Without a warning, it's not the site's responsibilty to protect itself from some "unknown penguin-worshipping nerd news site" that a great many people, believe it or not, have never heard of. Furthermore, non-news links originating from slashdot, such as links in comments, or signatures would be filtered out along with /.ed urls from news posts. And as you already said, this won't stop the DOS, because merely typing the url into the location/address bar will give no referer.
"A good conspiracy is an unprovable one." -Conspiracy Theory
Taking IP chains generated log lines makes for a nice little DoS of dshield.org once enough people figure it out. IP chains' kernel messages log one line per packet.
Much more sensible is encouraging use of a proper logging package, i.e. iplog v2, with a good ruleset to remove false alarms.
And neither is port scanning. If you don't want your box port scanned then take it off the internet.
The SANS Institute GIAC (Global Incident Analysis Center) has been doing this sort of thing since before Y2K. Its continually run and moderated by the leading intrusion detection professionals in the world (namely Northcutt, Breton, Pomeranz, Novak, etc..). Check it out Sorry, Intrusion Detection is an art, and requires alot more than posting firewall logs and using nslookup. -Thang
When your computer wants to look up an address using DNS, it will send a UDP "question" packet from some "high" port to port 53 of the nameserver. Then, after doing some magic to determine the address, the nameserver sends back a UDP "response" packet to the high port on your computer it got the question from.
So, if you're getting a UDP packet from port 53 of a nameserver to a high numbered port on your machine, it generally means that either: 1) you sent a "question" packet to the nameserver, and it is politely responding to you, or 2) someone else sent a bogus "question" packet to the nameserver, but managed to spoof your IP instead of their own into the header of the packet, and the nameserver is politely responding to you, or 3) someone else is sending a bogus "response" packet to you, but managed to spoof the nameserver's IP instead of their own into the header of packet.
There are probably a number of ways #2 (reply's to a question you didn't ask) could occur, ranging from normal network entropy, to some random dude mistakenly misconfiguring his machine, to some eleet hacker d00d sending out bogus "question" packets to the name server intentionally. With some imagination, I can construct scenarios where both #2 (spoofing the origin of the question) and #3 (spoofing the origin of the reply) might be beneficial to a hacker, but not in hacking your box. My imagination is fairly limited, though.
To answer your more specific questions:
But I'm inclined to believe that these packets are nothing more than standard DNS packets, possibly being returned from the "wrong" IP of a multi-ip'd nameserver. You probably have nothing to worry about.
Slashdot is jumping the shark. I'm just driving the boat.
It'd be interesting to see if/when this thing gets big, you could possibly cut off an innocent person from sites utilizing this by running psuedo scans under their ip (spoofing their ip).
Example:
running "nmap -S<target-ip> -e eth0 -sS -P0 -F '24.*.*.*' " would pseudo-scan a large block of cablemodem ips with target-ip. Assuming a lot of people picked it up and reported it, target-ip would be blocked from a number of sites without ever really doing anything.
Course the whole packet spoofing thing _should_ be fixed in IPv6, but who knows when that's gonna happen.
It's their network; so, they are probably legal running port scans. If they found an FTP port open and tried to pull some data off, then you would have them.
If you really want them to stop, play dumb, pretend you don't know it was coming from their machines and report it to their abuse department. If enough people do that, they'll decide it isn't cost effective and stop doing it.
An engineer who ran for Congress. http://herbrobinson.us
It's a scoreboard for script kiddies!
They're gonna spend all day trying to get their box to the top of "most active attacking IP".
Like getting a slashdot fp...
--
What happens when you outlaw guns
Bugger off, I'm just pleased they aren't disguised goatse.cx links, like EVERY FRIGGIN OTHER comment with links that gets modded "informative".
0 1 - just my two bits
To enhance my above trick, let them scan themselves for you.
Turn up the OS level on Samba, enable Browse Master and Local Master, set it to share squat over the public Ethernet addy. DHCP ensures you can snag the correct machine/domain/workgroup. Snag all the machine names that now appear in your browse list. Import into a script that copies said file into startup and sends a SMB message at the same time.
I think the list will be shorter next time you run it.
.sig: Now legally binding!
InfoWorld had an interesting article on the success of using easy to hack systems to trap and analyze hacker attacks
Another article entitled Honey pot networks can gather evidence for catching and prosecuting hackers. is also on InfoWorld
The site these articles are based off of is located here. There are a lot of interesting whitepapers and other materials including the scan of the month to enthrall the slashdot crowds
"GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
or if this service starts to bug the script kiddies they just set up a few boxes to autosubmit garbage and BS logs, and flood the database with rubbish making it a useless tool.
There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie -Noel Godin
Why so many on 8080. Looking for a proxy server to anonymize their surfing?
--------
If routers, gateways, and firewalls are collecting data to track crackers, what else are they doing with that data? maybe logging what IP address goes to what site for marketing purposes. Or for political blackmailing. If these machines are collecting data, maybe they ought to have a privacy policy and offer me a chance BEFOREHAND to opt out, or route around the offending router. This information should be obtainable via a traceroute. And what about Truse-E certification?
It sure would be nice to substitute a shell script or a small C program for that Perl script. Many folks run full Linux distros on their desktop and relegate the firewalling duties to small routers running something like LRP without software packages as huge as Perl.
Is this really a good idea? I keep thinking there has got to be a security hole in here someplace. I can't figgure out where, but I can't convince myself that there isn't some risk (not nessicarly security though that comes to mind) running this.
If you are on AOL, then you'll need more than Black Ice to save you.
Find it at:
http://www.insecure.org/nmap/index.html
right? I didn't read the specs on it; I thought it's main use was fingerprinting OSes remotely by TCP/IP stack analysis. Thanks for the tip!
"Don't mind me cutting myself on Occam's Razor"
Nah... a portscan might just send an "ACK", too. In fact, a cracker could be sending just about anything, including bogus source IP addresses, even if its to do nothing more than figure out how your firewall is filtering out packets.
But if @Home is actually responsible for the packets, I can't imagine any reason they would do anything besides check to see if the port is open and unprotected, and the simplest way to do that is to try to set up a plain, vanilla connect() scan (beginning with a "SYN" packet, not an "ACK"). If anything as "clandestine" as unexpected bare "ACK" packets show up from random @Home hosts, I'd be suprised if @Home were actually responsible (unless they somehow hired an incompetent script kiddy as a sys admin, which might not be that suprising).
Slashdot is jumping the shark. I'm just driving the boat.
I'm not the original poster, but I'd just like to say thanks for the enlightenment. DSL is coming my way soon so I'm trying to brush up on firewall issues so as not to get burnt.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
The problem then being that for @Home subscribers (like myself), you can't block the addresses for @Home servers.
As an @Home subscriber, I am routinely probed at high (>1024) ports for TCP *and* UDP by the @Home *DNS* servers (either primary or secondary, forget which one). When I phoned to complain, here is the reasons I got for it:
1) They were verifying my connection.
2) They were checking to see if I had any illicit servers in that range (from UDP 4000-6000, got to make sure that I don't have a rogue licensing server there)
3) They were sending packet data to my cable modem, NOT my computer.
After I heard excuse number three, I realised the advanced level of stupid I was dealing with, and promptly disengaged the phone call.
Still leaving me with the original problem; that @Home's DNS servers are port probing me.
What are the legal ramifications of this? This is unwanted traffic; doesn't that constitute cracking? Isn't that illegal? Can I talk @Home to court for this?
"Don't mind me cutting myself on Occam's Razor"
Could someone please explain how ones happiness or sexual orientation (depending on use of gay) is in any way related to packet flooding, port scanning or 'use the net for what they should.' ? Thanks, Michael
Slashdot is jumping the shark. I'm just driving the boat.
hehe yeah.. dont blacklist the clueless 14 years old Back Orifice scanning bitches, cos they'll be great hackers in the future. whatever.
Bad analogy.
The security of his neighbor's houses doesn't directly affect him, or his security (though it could indirectly encourage burglars to try his house also). However, an insecure web-server - which would contain his personal information, likely including credit card details - would have a direct effect on him. Therefore, running your own tests is a reasonable thing to do.
It's comparable to a credit company running checks on you to see if you are trustworthy.
You are not allowed to run an NNTP server?
--
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
not a counter measure, just a tool.
besides, most hackers are naive script kiddies or knowledgeable but naive *nix users. Sure there are some talented and gifted folks out there, but just look at the ones who get caught and become darlings of the press. If it cuts down on the number of script kiddies who pull off the amazing feat of bringing down a website, i say use it.
--
There are some people that if they don't know, you can't tell 'em.
Public Service Announcement: Log entries are usually recorded using your local time, so you should always include a mention of your timezone when mailing the ISP your logfiles.
As for dshield.org, according to this, their internal format doesn't bother with the time of the incident; only the date. This, unfortunately, means that dshield is pretty impotent when it comes to dealing with dynamic IPs. If I remember, I'll try getting in touch with the guy who's running it after the Slashdot tide dies down. If run properly, I could see this easily becoming the anti-script kiddie equivilant to SpamCop.
When I was in the Hofbrauhaus two sumers ago, they actually had a coin-op BAC meter near the restrooms. Yes, there were contests.
>Is there anyway to make sure that this will not happen?
Well, since the faked logs are unlikely to be widespread (or even if they are, the "reverse attacked" IPs are all going to be different) you could simply have a maximum attack count per host. Say, if a host is reported by someone more than twice per day, no more attacks are counted against that machine from the other machine for that week.
While script kiddies are losers that want to ruin these datasets, they all have different people they'd like to see kicked (usually some kid at school, or their next door neighbour). Unless they all ganged up together (and, by definition of being a loner/cowboy cracker that virtually never happens) and attacked one person, there'd be no problem.
You could also set the DB up to auto-ignore entries from a host if they go over "magic" trigger levels. Say a host reports 100 attacks from random IPs a second for the past 24 hours. No way that would happen. Plonk them onto the month long blacklist-blacklist.
A nice idea would be a complaints procedure whereby a user who is repeatedly listed as running scanners could request dsheild to investigate. Maybe if only certain IPs (over similar physical localities) _ever_ reported any cracking attemps they'd consider putting the IP on some form of a "limited ban" list.
They could also implement some form of peer evaluation system where certain "good" or "longtime" users get "points" to boost or lower values on the list... Sorta like slashdot moderation. [Perhaps this isn't such a hot idea after all.]
Not only that, but IMHO it is truly impossible that multiple script kiddies across multiple subnets across the world are going to lie about the same IP. If slashdot.org's reporting is correct (that would be a near first), that is what dsheild wants to do. List users who abuse big subnets.
I'd see what dsheild actually says, but I can't even get past the 502 on their front page. Uggghh...
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
I know a small porportion of people who use something being "gay" as it being stupid. AFAIK it has nothing to do with the sexual orintaion or happieness of said individual, or company, but just that it's stupid. I know that South Park uses that phrase that way as well. I don't believe that there was an insult to gays (I believe he would use the word "faggot" in that case)
get over it. it wasn't used as a word to describe sexual orientation.
you people need to get over your political correctness and understand that it has more uses than sexual orientation and happiness.
It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
That may be all good and well (taking into consideration what others said already...)
But what about dynamic ip addresses? Most of the scans I get are from such connections... so if I would send my logs to dshields, they would log this ip as an attacker? unreasonable... that's like saying I'm the serial murderer because I sat in the same seat he did a few weeks ago in the bus...
Patrix.
Yeah... ZoneAlarm is the best reasonably priced (free) firewall out there for the PC platform. I would like to have the basic *nix setup, but when you're building on a Win32 kernel, you can only do so much. -- Also, Black ICE does NOT stop Back Orifice and like attacks at its default level - you should crank it up one notch for that protection.
Sig, meet "end user."
That's assuming that enough people are intelligent enough to even have some sort of logging on their computer....Bluntly, I try not to make assumptions that people are intelligent.
"Don't mind me cutting myself on Occam's Razor"
And what they will get with this? The Bad Boys List? Another base for Katz to write "Voices on Hellmouth, Part X"? Most script kiddies who do large scans are what they are - KIDS! So I don't see the line, except that this will be another base to harass teenagers who may later turn into something or somebody, but who are put in the corner right from start... Most of these kiddies are people eager to learn something and to get into the computer farmland. However, they go the script buzz harassment because of the mass media, Holywood and the urban legends poisoning their brains and telling them that being underground is the way for the hacker. And while there is some truth on this, it does not mean that script kiddie should harass 10000 users to reach illumination. On the contrary. But it is not this way that we will help kiddies to understand the wrong sides of playing scannings, exploits and other stuff. We will only marginalize them. Put them in a black list. It will look much like those black lists in the 30's, 50's, where very intelligent people was marginalized because it had some schizo on leftist ideas. That's what will happen.
We know how the hacker community was born. We know that we are not saints, but our sins do not give the right to someone to outlaw people, because there were/are mistakes being made. I myself broke/crack/hacked things 15 years ago, much the same way these kids play now. I know that some of my best colleagues and friends were among the darkest crackers at the beginning of the 90's. To be sincere with you people, I also passed a good time, somewhere in this world, as some "The BlackStar" on the dark underground of the hacker community (Hey I'm not hijacking names, I know that there are a few BlackStars and some are much more notorious and thougher than me, but I choose the name originally. In fact, I still use it but in other translation). Frankly to the script kiddies I would say one thing. Yeah it is great to scan and crack things. But that's child's play. Frankly people didn't worry too much about such kind of things. The worse is not when you destroy but when you build. Because it is much harder to do it. And the worst of all when you show that you're damn good at buidling something. That was the moment when bullets started to fly around, because for some people it is better to live on the swamp of ignorance and mischief. Cracking and breaking programs gives some knowledge, but you don't get far with it. Wanna be a hacker? A damn good hacker? Stop harassing your neighbour as he has ten other kiddies to deal with. Build something, help people. But beware, that's the time when other will start to really envy you and be scared of you... Knowledge is a dangerous weapon to live with.
I would act this way. Meanwhile, such lists, are only ground for a new "geek jerks" generation. buy a mug with a penguin, install Linux (after tenth attempt with some help from the side), and say you're in the community...
> so when you move into a neighborhood, do you
>twist everyones doorknob and car door and try to
>open everyones window, just to "know
> what kind of security they have in place"?
Before I loan you any equipment, I'd like to know
that you keep your doors locked, etc.
And at a professional level, I like to make sure
that you can be a responsible caretaker for musical instruments, recording gear, etc.
As a neighbor, I wouldn't loan you any tools if I
thought you'd leave them out in the driveway, or in an unlocked garage.
How is this "twisting doorknobs and trying to open windows?"
-fb Everything not expressly forbidden is now mandatory.
It's about the same thing with spam/UCE complaints. Anyone with decent knowledge of spamming techniques could forge a few fake UCEs and send 'em in to another ISP's abuse department trying to get their account yanked. I know at least one person who had this happen to them (because their opponent in a flame war was losing the argument).
But here's one better: These guys should take their idea to several ISPs and try to get their support. Then form a seperate organization which the ISPs' abuse departments use as a master DB which they all can contribute to and access for tracking these guys. That might work.
Until we meet again....
-- Thorn
And what about things like DHCP? That too will make some poor sap unable to connect to some computers becuase some 3l33t hax0r was using the IP that he has now...
I'm connected with an ADSL modem on a Linux fw. I'm subscribed since last October and until early november I've encountered many NetBIOS scans from fellow clients of my ISP. After some investigation I've discovered that it was in fact caused by a virus/trojan named "W32/QAZ.worm" (for a description read this).
So, I will urge everyone to check their computer, mostly windoze users, for this kind of trojan. It's kind of sticky and fast breeding.
its posible to have stuff sent diorectly to the modem as it has a non routable class a 10.X.X.X address asigned to it.
an @home tech told me so...
November 28, 2000:
dshield.org, a new service designed to analyze firewall logs to look for suspicious activity, submitted its own firewall logs for analysis. To their great surprise, they appeared to be the subject of a giant DOS attack that lasted for 24 hours, as out of nowwhere, nearly 700,000 computers around the world accessed the website.
Due to the enourmous hits, the site was frequently unavailable for legitimate users. Officials suspect foul play, but have been unable to determine a motive for the unprecedented attack. "This is precisely the reason we developed this system; to expose the origins of potential attackers and allow the user to take appropriate action". When asked if it was possible they were simply the victim of the feared "slashdot effect", those allegations were denied. "As soon as our bandwidth returned to normal, we checked out this slashdot.org but saw no mention of the site anywhere on the front page. We checked the logs and found only one refrence from slashdot.org. Although it appears right before the attack began, we are certain that this is only a coincedence.
:)
-Restil
Play with my webcams and lights here
So run a caching-only nameserver, and don't use theirs. Assuming you keep up with BIND errata, it shouldn't be a security problem. YMMV, of course. I can do this on my cable system (Optimum Online, NY/CT area), but I don't see why it wouldn't work with @Home.
Just a suggestion....besides, cable networks often don't know how to run servers anyway. The Optonline DNS servers for my area tend to go down on what seems like a daily basis, with times anywhere from 5 minutes to 5 hours.
This sure was timely. I just wrote to abuse@home.net to complian. I will followup again. and agian.
I also have Microsoft trying on 53 over and over and over.
This just funny.
From: subscriber@home.net
Subject: Repeated attacks
Hello,
Your system scanners has repeatedly triggered alarms on my firewall. These are unauthorized access of my personal computer
Please terminate these scans immediately or I will have no other choice but to apply a $10 discount to my @Home bill for each security incident.
Yours truly, @home customer
From: @HOME tech support
To: @HOME customer
Subject: RE: Repeated attacks
Hhhhhhhhhhmmmmmmpfffffffffrrrrrrrr BHAHAHAHAHAHAH!!
Pay your fucking bill in full now or we'll TOSs ya.
@home techie
---
Inanimate Carbon Rod thanks you for your support. See you in 2004!
This is exactly why public blacklists never work. The entire system is based on the assumption that the data you're feeding into it is valid. However, in reality, you have no idea from who or where the data is coming from, nor do you have any way of telling how much of it has been tampered with other than basing it on the honor system. You can't assume that any of the data you receive is valid.
Unix is user friendly, it's just selective about who its friends are.
I used to see that a lot during LAN parties. The easiest way to correct the behavior is to scare them a little; Copying a little VB executable that shows a hard warning into Windows/Start Menu/Programs/Startup/ works on Win9x machines. NT machines are easier. smbclient -M helps them stop, as anyone stupid enough to enable SMB doesn't have a clue on how to disable the Messinger Service.
.sig: Now legally binding!
And what about things like DHCP? That too will make some poor sap unable to connect to some computers becuase some 3l33t hax0r was using the IP that he has now...
nslookup slashdot.org
Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
Name: slashdot.org
Address: 64.28.67.48
Heh,
root@localhost> nmap -S 64.28.67.48 -e eth0 -sS -sU -p 0-65535 www.nsa.gov www.fbi.gov www.cia.gov '*.*.*.*'
(hits enter end runs...)
For those which don't know and are to lazy to look up, an exerpt from nmap manpage:
this project makes too many assumptions that everyone uses their boxen to sit around and block packets consider that a 10.x.x.x ip address was in the top ten shouldnt that kind of data be parsed out? Along with the potential for faked logs and unreliable data sources, it was a good thought but implamentation requires a bit more effort than a lil perl script that sifts through my logs. I hope they consider the bulk per user submissions when accepting data so as to not have a poisoned database. What about people scanning their own machines for their own security's sake? Or someone who was authorized to do it via an aup if @home scans me because i signed the aup that makes it ok, so if my ip is in the @home network that should not be considered an attack or even an intrusive scan because it was authorized when i signed on for the service. You can see where this is going a whole lot of very subjective data...
Everyone seems really concerned that they might be blocking valid IP addresses if they trust this new site (when it ever comes back up). :-)
Running a default policy of DENY will sort any hassle...(accept of course trying to access your server
I hope everyone knows where they expect connections to be coming from, and if not, have hardened up those boxen!
Looking at my logs, generated by iplog2, I about 5% of the stuff is anything to worry about. The rest is:
@Home scanning for news servers.
an occasional ping
Napster.
I have my rules set up to the best of my (experienced) ability to eliminate irrelevant stuff. By default, most of the logging packages log everything (i.e. ftp-data connections).
If you ever read some of the newsgroups where the same users who will be using dshield.org post, you'll see that they don't know how to tell an attack from normal activity. Unforunately I can't find some of the usual "NOTICE TO WHOEVER PINGED ME: SEND ME A PING AGAIN AND I'M CALLING THE FBI AND GETTING YOU CUT OFF FROM AOL NOW LET'S BURN THE WITCH" postings today in athome.discussion-security, but they're usually there.
The "firewall" programs that most users use don't give them any help in telling the difference between a genuine 'attack' and between their web browser downloading a file using *gasp* an ftp-date connection.
On "first glance" at the comments, the top two comments I see are:
1) Logs can be forged
2) They're showing the @home portscanners, and reserved netblocks on their top ten (bwuhahaha, look at them, they're so stupid)
in response to 1) there are hundreds of ways any reasonably intelligent coder could check the submitted data, to make sure the logs make logical sense.
On top of that, the whole POINT of this service is to identify people scanning whole netblocks, and then submit that report to some other agency (who would then, what? Automatically say, "well, this site said so, let's unplug the little fucker" without doing their own background check? I think not). This is all about COMPILING data, to try to learn some really interesting things about who and how many netscans there are in a given day.
In my personal opinion, this is a far more useful and important security measure, than anything security focus, or any of the other SUBMISSION based security alert services give, because they're collecting TONS of data.
Think about it for a minute, if everyone starts submitting their logs, the minor forged log every now and again will be ignored by virtue of the immense amount of legitimate information streaming in...
on the second complaint: Get over yourselves! Just because you weren't ambitious enough to start a project like this, doesn't mean that you're smarter than they are. Don't you think they'll start to make corrections once they start analysing their data? It takes time, and submissions, people.
Just think about the potential security gain if this is successful. This is a user driven ORBS database, which could, with a little HELPFUL nudging be very useful for the security minded.
hmmmm?
Seems to be an awful lot of insurgence about @home. A buddy of mine set his boss up with a Linux firewall/masquerade box at the foot of his Cable connection on @home with an IDS on it. The IDS automatically put firewall rules (ipchains-style) in place and the port-scans from @home administration became a non-event. Box has been running for 3 months without a hitch.
A computer consulting company I worked for earlier this year was considering putting a similar database-enabled web-application together at the time, and, I thought it was a pretty good idea. They started to get confused, however, at the prospect of spoofed IP's and forged logs and failed to put it in place. So, I think dshield.org is on to something, if they can execute and do it without incriminating some innocent party.
I'd prefer to see such a service emanating from a nonprofit entity similar to w3c.org, though, to eliminate any integrity issues.
Incidentally, I just forward the relevant port scans from my FreeBSD firewall and Linux servers (port 111 and friends) to their ISPs and that usually takes care of things. More work for the ISP, but, I'd bet it's helpful over time....
My 2.
Linux rocks!!! www.dedserius.com
www.dedserius.com
VB != VisualBasic
As am @Home subscriber, I am routinely probed at high (>1024) ports for TCP *and* UDP by the @Home *DNS* servers
I hate to break it to you, but that's not a portscan. If you are running a forwarding nameserver, put the following in your configuration and I bet anything that will go away:
query-source address * port 53;
Basically, you are sending them DNS requests from that port, they are replying, and you are denying the replies. This line makes all DNS queries come from the domain port. They will then shift their replies to be addressed to your domain port.
@Home does do portscans, yes. But not from their DNS servers. Back when I used to pay attention to such things, they quite annoyed me. But I just blocked 24.0.94.130 (authorized-scan.security.home.net) and they went away.
I'd suspect that this is a relic of test logs generated by running portscanners on a LAN to build up a record set for the database. They say the data is not very reliable yet.
I do not have a signature
Several posts have asked, "How can they prevent someone from faking the logs?"
It looks like you have to sign up with these guys, and get an ID from them, before you can contribute. Therefor, anybody wishing to poison the database must give a valid e-mail. Presumably, the only way an IP will get in the top ten is if MORE THAN ONE person reports it. Also, I'm sure that any e-mail address that is found to be submitting bogus data will be dropped in a heartbeat.
However, I'd want to put a little "noise filtering" on the scripts from my system: I frequently have www.grc.com scan my system to make sure nothing gets screwed up, and I'd hate to get Gibson Research in trouble. Also, on occasion one of my friends machines will trip my firewall.
What we need is for this data to be collected and the offending ISPs made to solve the problem. Too many ISPs have the attitude of "not my yob": unless you grab their testicles with a rusty pair of pliers and threaten to have your laywer twist if they don't take action, they do nothing.
www.eFax.com are spammers
A public blacklist would work if you have enough contributors that you can verify that many of them, including some trusted contributors, feel that the IP in question should be blacklisted. If you can have a reasonable belief that the majority of data on the system is valid, then the blacklist will be more-or-less effective.
For example, how many people have been framed in such a manner onto the RBL? Sure, there are plenty of cases of people who feel that they shouldn't be on the RBL because they weren't really spamming. But how often do several people conspire to accuse an IP of being a spammer or an unsecured relay just to get back at that IP? Not too often, I imagine.
Just like any online collaboration, from the RBL to online gaming matchups to /., you can gauge the reliability of the community's input based on a trust rating that you assign to contributors based on their past performance.
Your right to not believe: Americans United for Separation of Church and
Am I the only one concerned by this?
A few issues comes to mind:
Forged logs
It's very trivial to fake logs to make it appear
that a attack originated from a specific source.
Innocent traffic
I can't count the times I've been wrongly accused of
"port hunting" after looking for a service on a friends box.
Even a single ping can sometimes trigger a sites IDS
and mark my IP as a threath.
This may be a good idea, but without at least
some background checking and auditing
of submitted logs, I wouldn't trust it one bit.
Agreed. The web simply provides the targets. The pretty and fuzzy features are out in the open, and the villians tend to hide in the shadows and others dangerous places that their targets dare not venture.
Long signatures suck.
Seriously though, this system has too many vulnerabilities to really be an effective countermeasure against hackers. Poisoned logs, IP spoofing, etc. This is essentially a really good way to catch:
(a) naive script kiddies
(b) knowledgeable but naive *nix users
"Any connection between your reality and mine is purely coincidental." -Slashdot
They're looking for copies of "wingate" which are a popular proxy on private systems and which keep having new holes discovered.
The summary said that ZoneAlarm logs can be posted. What about BlackICE Defender?
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
they're down until tomorrow..... really wanted to look at their site! ah well... is being slashdotted a good thing?
http://www.invisik.com
Sorry, had to take the site temporarily down due to high traffic. Please try again tomorrow
ummm.... yeah...
Army of One!
Indeed, slashdotting a site is a direct DOS attack, and slashdot should start taking some responsibility for causing so many sites to go offline due to the spontaneous bandwidth increase of the slashdot effect. IMO, every site linked by slashdot should be given the right to deny such a link, and if the site accepts the link, should be offered time to get a mirror up or increase bandwidth. Without such a warning, linking to a small-medium business or personal homepage is the equivalent of tossing a rabbit into a cage of hungry lions and not feeling responsible for the rabbit's instant death.
"A good conspiracy is an unprovable one." -Conspiracy Theory
would the /. effect be considered an 'attack'?
/home/dshield/php/common.php on line 65
/home/dshield/php/common.php on line 96
/home/dshield/php/common.php on line 97
Current Most Active
Attacking IP:
Warning: Too many connections in
Warning: Supplied argument is not a valid MySQL-Link resource in
Warning: Supplied argument is not a valid MySQL result resource in
looks like they need to tweak their settings a bit before they go primetime.
The sites I worked at got portscanned at least twice a day, usually from a cable modem user running Redhat Linux (easily found out by telnetting back to their IP, which has almost every service still enabled). These are script kiddies, and really I don't think I should waste time on someone who downloaded nmap.
A smart cracker won't blindly portscan your machine, because that pretty much gives him (and his skill) away. I think portscans are a fact of life. The ones to worry about are the quiet crackers, who only give away few signs that they are attempting an attack.
What is more interesting to me is the signature of attacks. I don't think analysis of this sort can be done by looking at an IP, as you may see a pattern in your firewall logs that involve many IPs or spans many days. The trick is putting all of the information together in some sort of analytical way to determine if it is a threat or not.
Now, this might strike ONLY me as strange but the service are relying on users to send in their logs?
The reason this upsets me (at least SLIGHTLY) is that logs can ALWAYS be faked. That, and get a few different users around the country to send in "altered" logs and some poor @home guy could be out of his account.
Is there anyway to make sure that this will not happen?
Great... this information could be used to tune one's own firewall to block (unwanted and nosy) portscans from @Home and RoadRunner...
Charter cable here hasn't started doing that (yet), but if I were an @Home/RR customer, that's exactly what I'd do... 'cause you *know* what would happen if we tried to pr0tsc@n them.
I resent them treating me like they assume I'm going to make a mistake when I haven't given them any indication that I have or will.
You haven't on an individual level, but their userbase as a whole has. Do you remember when @Home as a whole was in danger of getting the Usenet Death Penalty? This is a list that spam-neutral or -friendly ISPs get onto to force them to stop allowing spamming (much like the Realtime Blackhole List, but for usenet). They got off it before the UDP went into effect by agreeing to be more vigilant about portscanning the NNTP port of customers, to make sure they didn't have open NNTP relays and such. The day the UDP was cancelled was the exact day I started getting portscans from @Home.
They also do the same for SMTP. Back when I had a server attached to their network, I would regularly log relay attempts from their scan box. They never complained about my running a mailserver. They just verified that it wasn't an open relay.
Whether or not you agree that they should be doing it, they are doing it for a reason. And as far as reasons go, eliminating holes for spammers is a pretty good one.
a very good thing. While there are always the potential drawbacks to a large database keeping track of things this could make it much easier when someone gets themselves into my logs to find out who to inform about it. Of course most of the time you are just talking to a victim but even then it would make it much easier to warn them. Right now most of my logs get ignored cause it takes too much time to track them down. While this may not make it easier to go after the bad guys it will make it easier to give the victims a heads up. Can't get to the site right now (Go /.!!)But if they want logs from smaller sites I will be sending them mine.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
From the page:
:)
27/Nov/2000 16:00
Current Most Active
Attacking IP: 24.0.94.130
Then...
nslookup 24.0.94.130
Server: localhost
Address: 127.0.0.1
Name: authorized-scan.security.home.net
Address: 24.0.94.130
Ohh yeah, this is useful information
Bah, its a trivial hack to Apache to kill the connection if the refering URL is http://slashdot.org/* True this wont be stop the DOS, but will stop you wasting your banwidth charges.
Anyone noticed that the story submitter is also the owner of the site (dshield.org).. also didn't bother to make an account.
--------------------
...seems they are called Euclidian Consulting, and offer such services as, hmm, this is odd, the DNS for this site is dns.homepc.org, and oh, wait, that's registered to the same personas euclidian! hmmm, that coupled with the @home port scans being #1 on this list leads to the conclusion, all this is being run out of someone's basement, using an @home connection. Wow, and here I was waiting to save up enough money to buy a real "business" network, but heck, I can just use my cable connection to run my soon to IPO thingy...
Going on means going far
Going far means returning
Going on means going far
Going far means returning
Damn, there go my mod priviledges.
#!/usr/bin/perl
/tmp file
/usr/sbin/sendmail -t -oi");
# Linux DShield Client. V 0.0.2
#
# This script will extract relevant lines form the log file and
# send them to 'report@dshield.org'.
#
# It should run from cron regularly to look for new entries. See
# 'parameters' for more details.
#
# Parameters:
#
$userid="0"; # replace with your userid if you have one.
$email="none"; # replace with your e-mail address.
$to='report@dshield.org'; # send log to this address. Change for testing.
$local_log='/tmp/dshield.log'; # keep a local copy here for revie
$filter="input DENY"; # we only care for lines that contain this line.
$state="/var/tmp/dshield"; # file that is used to store length of log file.
$logfile="/var/log/messages"; # location of log file.
# setup a halfway safe
srand(time);
$tmp="/tmp/dshield".$$.rand(1000);
$last_count=0;
#
# the 'state' file contains the length of the log file
# in lines the last time the script ran.
#
if ( -e $state ) {
$last_count=`cat $state`;
chmod $last_count;
}
#
# get the current length of the logfile
#
$length=`wc -l $logfile | sed 's/[^0-9]//g'`;
chomp $length;
#
# if the log file size 'shrank', we assume that the entire file
# is relevant. This will not catch log rotations where the
# log file grows rapidly.
#
$last_count=0 if ($length<$last_count);
$count=$length-$last_count;
#
# remove stale tmp files. This should never happen, as
# the temp file name is generated randomly
if (-s $tmp) {
system ("rm $tmp");
}
#
# this line 'does the work' of extracting relevant lines
#
system("tail -$count $logfile | grep '$filter' > $tmp");
# send the file. Only bother if there is something to
# report.
if ( -s $tmp) {
open (MAIL,"|
print MAIL "To: $to\n";
print MAIL "From: $email\n";
print MAIL "Subject: FORMAT LINUX USERID $userid\n\n";
print MAIL `cat $tmp`;
close MAIL;
if ($local) {
open (MAIL,"> $local");
print MAIL "To: $to\n";
print MAIL "From: $email\n";
print MAIL "Subject: FORMAT LINUX USERID $userid\n\n";
print MAIL `cat $tmp`;
close MAIL;
}
}
#
# cleanup the temp file and write a new state file
#
system ("rm $tmp");
system ("echo $length > $state");
I have a suggestion for a poll. (yes, I know this isn't the correct place to submit this, but this article inspired it.)
/. effect?
/.
/. !!
Have you ever submitted an article about a company you hate just to create a
Yes, I'm satan spawn.
No, I'm a virgin or
No, I was with CowboyNeal at a gay bar.
I like to read the articles before posting. Unfortunately it's something I rarely get to do because of the herd affect of
got to love
"Only one thing, is impossible for god: to find any sense in any copyright law on the planet." Mark Twain
There was also a group of funny guys to which you could send your /etc/passwd file and they would tell you if some passwords were vulnerable :-)
Good point considering almost all of these places are small sites that have no where near the redundancy and hardware that Slashdot has to deal with their effect. One of these little web sites off a fractional T-1 getting slashdotted could take down the site (and any other sites that may have been hosted on that link) down for at least a day. Irresponsible.
Heck no. Firstly, if they're actually trying to make lists of times/dates/IP's that the kiddies are scanning, then Cool! They should keep their database private for sure, but unless you run the ISP, you won't know WHO is on which IP. Personally, I'd LOVE to see some people getting fined for portscanning. A couple of grand per incident. Don't think so? Picture this. I walk through your neighborhood, and stop at each house trying to open doors and windows. Occasionally, I may use a special tool to open a door or window. If I'm doing that to your house, damn right you're going to want me arrested. Same situation, period!
-What have you contributed lately?
Actually, I expect cracker detection to be the cornerstone of our new economy. kjh26flk3jf
And the second most frequently used addressed is in the 10.x.x.x private IP address range? I'd like to see THAT person tracked down!
If your children ever found out how lame you are, they'd murder you in your sleep
no, it was probly K-racked!
In short: it blows.
Hmm. Actually, looking again, there's a much more serious reason I'd call it a crappy Perl script.
$userid="0";
srand(time);
$tmp="/tmp/dshield".$$.rand(1000); if (-s $tmp) {
sy stem (rm $tmp");
}
system("tail -$count $logfile | grep '$filter' > $tmp");
So...in other words, while running as root, it picks a filename based solely on its PID (easy to guess) and the current time (easy to guess, especially since they recommend running it from cron at scheduled times). They remove this file but then tail into it blindly...if you are quick about it (inbetween the remove and tail), you can create a symlink there and get root to overwrite any file on the system. Bugtraq advisories are regularly issued about this type of thing.
They also give you a false sense of security in that there is a place to fill out a userid, but it does not use it for anything but the subject of an email. So it always runs as root, though if you quickly configured it you might think otherwise.
If you're an athome customer, you probably authorized it (and more) by signing the contract.
The scans are roughly daily, and they only check the NNTP port.
Now where is an X-Server for Windows when you need one :)
Just joking on that.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
YOU SCAN ME ONE MORE TIME AND I'LL COME TO YOUR HOUSE, RIP OUT YOUR CPU, AND SHOVE IT DOWN YOUR DOG'S THROAT
Or something similar. If your real lucky you'll see the results on their webcam. :-)
It sounds more like a serious restriction in service, if not an invasion of privacy, if you ask me. With my DSL connection, I can run any service I like, as long as I like, because it's my own fault if I get r00ted. I'd really hate to see VNC or FTP wind up as blacklisted services, because I'd have to give a serious rethink on how to transfer MP3's I have ripped and/or code that I have written to and from work. It is likely that there is another solution, but I have better things to do at present.
(end comment) */ }
(end comment) */ }
[an error occurred while processing this directive]
--
One thing I noticed on the top 10 "Most Wanted" is 24.0.94.130 and 24.0.0.203 : Both of these are official @Home scanner IPs that they use to scan subscribers PCs (i.e. only people in the @Home network should be scanned by these addresses). 24.0.0.203 usually is used to scan for NNTP servers (I get scanned every two hours pretty much to the minute) which was put into place after the big Usenet threats against @Home. 24.0.94.130 scans clients for most known trojans and backdoors. If they find either they, as far as I have heard, shut down your connection until you fix it and contact them when they'll recheck to verify. Great service to avoid people being their worst enemy.
As a sidenote I previously disagreed with someone regarding whether there is a lot of NetBIOS traffic on @Home. At the time I claimed that I didn't get scanned for NetBIOS traffic. Turns out that it was the region I was in previously (Rogers@Home) where they filter out all NetBIOS traffic. Now that I'm in a different region (Cogeco@Home) I find that I'm getting NetBIOS scanned all the time. Out of curiousity occassionally I'll do a \\IP.IP.IP.IP back and find someone sharing their C, D, etc. drives. I don't know if it's an owned machine, or someone with a honeypot, but it's pretty funny nonetheless.
Instead of mysql_connect(), they should've used mysql_pconnect().
--