Collecting Logs from Firewalls to Detect Crackers

Anonymous Coward writes "There is now a site dshield.org which collects firewall log excerpts to summarize and organize them in a database. The point is to single out script kiddies that scan large IP segments. It could all end up saving ISPs a lot of time running after / responding to gazillions of reports from users. Interesting: Right now, IPs used by @Home and RoadRunner to scan their users top the list. The site is only up for a couple of days. but already quite a bid of data has been collected. There is a little perl script that will automatically send Linux kernel log excerpts (ipchains style) to the sytem. ZoneAlarm logs can be processed as well."

Re:Users Send in Their Logs?

[garcia]

making some @home guy lose his account..

sure! If @home even gave a shit about what their users do. I tried to report an @home user this summer for flooding my poor 56k connection and they ignored me. My ISP wouldn't give me a static IP to block it at the router, so I was basically screwed.

doing something like this really doesn't help anyone. The ISP's have to cooperate (on both ends) and they normally don't care to.

I wish that people would stop being gay and just use the net for what they should.

That is just my worthless .02

Why 2048?

[Delirium+Tremens]

Sorry, but the use of 8080 is rather obvious to me. I have one bizillion software trying to bind on that socket.

But what's 2048 used for? A Trojan?

Re:@Home scanners...

[0xA]

The reason you are you get so much NETBIOS traffic has nothing to do with being scanned.

When you enable a Windows machine to share resources it needs to decide what machine on the network is the master browser (A machine that contains a table of all of the NETBIOS machines on the network).

When the machine starts it sends out some packets to decide who the master browser is. If nobody replies or if the present master browser is of a lower OS level than your machine, it will start an election to determine who the new master browser is.

I am an @home subscriber in Calgary (shaw @home). I get this stuff bouncing off of my firewall all the time.

Note: Please don't moderate as Funny. Yeah I know, it's rediculous but its' also how Windows OSs actually do this.

security hole?

[aozilla]

Gee, these are the people who are worried about people scanning them, so they send their logs about the scan to a site that doesn't even have enough money to withstand the slashdot effect? Can you say stooooooooopid?

Scans versus attacks

[FeeDBaCK]

What good does this do, exactly? So I guess @home and RR are always going to be at the top, since they constantly scan their customers. This will also put many IRC servers in the list, as they tend to scan for compromised machines. I honestly do not see how a scan from some kid who just downloaded his first copy of Back Orifice is a concern to me. If they were actually able to differentiate between actual attempted attacks and actual port scans, then I could see this being worth something.

If only it were filtered

[Phaid]

This is unfortunately going to become completely useless really fast, unless the people running the site take some active measures.

At first glance, of the top 10 reported "attackers", one was an authorized security scan from home.com, two were 10.x.x.x addresses, and one was a 169.254 Windows AutoIP non-routeable address (and no doubt the port that address was "attacking" was UDP port 53).

When all the world's cable modem users are encouraged to buy these "personal firewalls" which do nothing but trigger false alarms to show how "useful" they are, sites like this can't help but be drowned in a sea of noise.

Re:If only it were filtered

[FeeDBaCK]

Those personal firewalls quite frankly piss me off. Yes, you are going to get scanned at some point by somebody trying to exploit something. Most people who run a personal firewall generally do not have much knowledge about network security, or else they would be using a better solution. These personal firewalls do nothing more than scare the user into thinking he is constantly being attacked by the 31337 h4x0rz all over the Internet that are out to steal his goatsex porn on his computer and hack into his bank account to buy a new Ferrari with his account number. There is quite a bit of useful information that can be gathered from these firewalls, but the people that they are marketed towards are not the people who would understand what any of the data means. I would think it would be much better if the firewall designers made it easier to configure. Base the firewalls on service names instead of ports... things like that. I have friends that are on cable who call me or e-mail me almost constantly with snippets from their logs of their personal firewall asking wether or not something is an attack. I would say that almost everything I have ever recieved has been valid data from a host that they were interacting with...

Re:If only it were filtered

[Ralph+Wiggam]

Personal firewalls are an obvious evolution from mainstream virus protection software. How much money has AV software made? I would guess somewhere in the hundreds of millions. How many viruses are really out there in the wild? A few dozen, tops. The only two that have caused real damage in the past few years have been email script viruses that AV packages didn't catch. So now everyone owns at least one AV package and those big companies need to make more money. So they make people think that evil "hackers" are out there trying to steal your financial records and the pictures of your nephew and that super 31337 Budweiser frogs screensaver you have. Sold. My defense to such things is to just have an uninteresting life and very little money. That will stop them every time.

-B

Is this really necessary?

[bagel2ooo]

I understand the advantages of having a collection of data collected by your firewall in a centralized location but wouldn't this also permit computer criminals to see which attacks do not go unnoticed. Besides shouldn't an admin take responsibility and do log analysis themselves. I mean on large-scale networks it is totally impractical but still. One can't rely totally on these measures. :D
.--bagel--.---------------.
| aim: | bagel is back |
| icq: | 158450 |

Re:Is this really necessary?

[FeeDBaCK]

Quite honestly, this is why Managed Security Providers are becoming more popular. You pay someone else to monitor your company for attacks. Most companies cannot afford to staff their own network security team to audit security on a regular basis and to watch logs in real-time.

Re:Blocking @Home and RoadRunner from scanning

[DoomHaven]

Don't have a Linux firewall (YET), but wouldn't

ipchains -s $scanner -p tcp -d $ipaddress ALL -j DENY
ipchains -s $scanner -p tcp -d $ipaddress 53 -j ALLOW

be a more elegant solution? (assuming you can block everything off, except port 53, and that the rules regarding precidence allow it) While I had originally stated that only 4000-6000 were hit, trust me; I got scans on top of scans of top of scans.

Admittedly, my ipchains experience is very fictional; though with DrawBridge for the secure BSD (Open? Free? I forget) you could do that.

a nice little DoS

[Barbarian]

Taking IP chains generated log lines makes for a nice little DoS of dshield.org once enough people figure it out. IP chains' kernel messages log one line per packet.

Much more sensible is encouraging use of a proper logging package, i.e. iplog v2, with a good ruleset to remove false alarms.

Re:a nice little DoS

[Barbarian]

Yeah, but this allows for an expansion -- you can send the smallest possible ICMP_ECHO packets to someone using automatic dshield.org reporting, even undersized perhaps, and get them to automatically send 120 bytes for each to dshield.org

The SANS GIAC has been doing this for over a year

[Thangorodrim]

The SANS Institute GIAC (Global Incident Analysis Center) has been doing this sort of thing since before Y2K. Its continually run and moderated by the leading intrusion detection professionals in the world (namely Northcutt, Breton, Pomeranz, Novak, etc..). Check it out Sorry, Intrusion Detection is an art, and requires alot more than posting firewall logs and using nslookup. -Thang

Re: getting "portscanned" by an @Home nameserver.

[bellings]

I'm also inclined to believe the nameservers are not portscanning you. Here's a brief (and incomplete) explanation of how a nameserver works.

When your computer wants to look up an address using DNS, it will send a UDP "question" packet from some "high" port to port 53 of the nameserver. Then, after doing some magic to determine the address, the nameserver sends back a UDP "response" packet to the high port on your computer it got the question from.

So, if you're getting a UDP packet from port 53 of a nameserver to a high numbered port on your machine, it generally means that either: 1) you sent a "question" packet to the nameserver, and it is politely responding to you, or 2) someone else sent a bogus "question" packet to the nameserver, but managed to spoof your IP instead of their own into the header of the packet, and the nameserver is politely responding to you, or 3) someone else is sending a bogus "response" packet to you, but managed to spoof the nameserver's IP instead of their own into the header of packet.

There are probably a number of ways #2 (reply's to a question you didn't ask) could occur, ranging from normal network entropy, to some random dude mistakenly misconfiguring his machine, to some eleet hacker d00d sending out bogus "question" packets to the name server intentionally. With some imagination, I can construct scenarios where both #2 (spoofing the origin of the question) and #3 (spoofing the origin of the reply) might be beneficial to a hacker, but not in hacking your box. My imagination is fairly limited, though.

To answer your more specific questions:

• It is possible to send a packet to one IP of a multi-ip machine, and get a packet back from another IP of the same machine. This might trip your firewall. If "shouldn't" happen with a DNS server, but "shouldn't" and "can't" are two entirely different words.
• If you want to find the format of a DNS packet, check RFC 1034 and RFC 1035. The biggest tip off that you're looking at a DNS packet should be that it originates from port 53 on the nameserver.
• I would be very, very reluctant to say that "10 ports in a 20 port (high) range" indicate a port scan -- generally, people who really want to root your machine will only try a small handful of (low) ports corresponding to vulnerable services, and leave the rest untouched.
• If you're seeing only a single "ACK" TCP packet, then someone sending out packets while poking into their TCP stack at a level deep enough that you shouldn't trust ANYTHING contained in that packet -- definately not the IP address, and perhaps not even the MAC address. If someone is on the same wire as you, then it is possible they could be sending out a series of packets with spoofed originating IP, and just passively sniffing on the wire to see how your machine is responding. (I don't know enough about cable modems to know how hackable the networks are, though.) If this is the case, the @Home nameservers have nothing to do with these packets.
  

But I'm inclined to believe that these packets are nothing more than standard DNS packets, possibly being returned from the "wrong" IP of a multi-ip'd nameserver. You probably have nothing to worry about.

Fasely targetting IPs

It'd be interesting to see if/when this thing gets big, you could possibly cut off an innocent person from sites utilizing this by running psuedo scans under their ip (spoofing their ip).

Example:
running "nmap -S<target-ip> -e eth0 -sS -P0 -F '24.*.*.*' " would pseudo-scan a large block of cablemodem ips with target-ip. Assuming a lot of people picked it up and reported it, target-ip would be blocked from a number of sites without ever really doing anything.

Course the whole packet spoofing thing _should_ be fixed in IPv6, but who knows when that's gonna happen.

Heh, scoreboard

[mwalker]

It's a scoreboard for script kiddies!

They're gonna spend all day trying to get their box to the top of "most active attacking IP".
Like getting a slashdot fp...

Re:Heh, scoreboard

[Bob+McCown]

It might keep them out of our hair, though. Maybe they'd be too busy attacking each other to worry about the big sites...

I just had a thought (Yea, I know, first time for everything). Would these very same script kiddies on cablemodems be called @homeboys?

Re:@Home scanners...

[technos]

To enhance my above trick, let them scan themselves for you.

Turn up the OS level on Samba, enable Browse Master and Local Master, set it to share squat over the public Ethernet addy. DHCP ensures you can snag the correct machine/domain/workgroup. Snag all the machine names that now appear in your browse list. Import into a script that copies said file into startup and sends a SMB message at the same time.

I think the list will be shorter next time you run it.

Honeypots

[bl968]

InfoWorld had an interesting article on the success of using easy to hack systems to trap and analyze hacker attacks

Another article entitled Honey pot networks can gather evidence for catching and prosecuting hackers. is also on InfoWorld

The site these articles are based off of is located here. There are a lot of interesting whitepapers and other materials including the scan of the month to enthrall the slashdot crowds

Re:Users Send in Their Logs?

[corvi42]

or if this service starts to bug the script kiddies they just set up a few boxes to autosubmit garbage and BS logs, and flood the database with rubbish making it a useless tool.

Wait! Does this mean routers need privacy policy?

If routers, gateways, and firewalls are collecting data to track crackers, what else are they doing with that data? maybe logging what IP address goes to what site for marketing purposes. Or for political blackmailing. If these machines are collecting data, maybe they ought to have a privacy policy and offer me a chance BEFOREHAND to opt out, or route around the offending router. This information should be obtainable via a traceroute. And what about Truse-E certification?

Can we get a shell script for "small" systems?

[GlobalEcho]

It sure would be nice to substitute a shell script or a small C program for that Perl script. Many folks run full Linux distros on their desktop and relegate the firewalling duties to small routers running something like LRP without software packages as huge as Perl.

Is this a good idea or a security hole?

[bluGill]

Is this really a good idea? I keep thinking there has got to be a security hole in here someplace. I can't figgure out where, but I can't convince myself that there isn't some risk (not nessicarly security though that comes to mind) running this.

Re:Is this a good idea or a security hole?

[ichimunki]

Yeah, I have the same sense that giving out this information somehow creates a security risk as well, especially if it involves me sending logs of anything automatically... but I think this kind of thinking is mostly a desire for security through obscurity, i.e. the less "they" know, the less they will be able to crack my system. The best check would be to examine the output by hand for a while before sending it in and making sure that it seems like valid and useful information. I'm more concerned that if they accept anonymous or lightly IDed reporting that they will be spoofed or spammed in short order, which makes the information suspect.

Re:Black ICE Defender

[Token+User]

If you are on AOL, then you'll need more than Black Ice to save you.

Re:Blocking @Home and RoadRunner from scanning

[bellings]

Nah... a portscan might just send an "ACK", too. In fact, a cracker could be sending just about anything, including bogus source IP addresses, even if its to do nothing more than figure out how your firewall is filtering out packets.

But if @Home is actually responsible for the packets, I can't imagine any reason they would do anything besides check to see if the port is open and unprotected, and the simplest way to do that is to try to set up a plain, vanilla connect() scan (beginning with a "SYN" packet, not an "ACK"). If anything as "clandestine" as unexpected bare "ACK" packets show up from random @Home hosts, I'd be suprised if @Home were actually responsible (unless they somehow hired an incompetent script kiddy as a sys admin, which might not be that suprising).

Re:Blocking @Home and RoadRunner from scanning

[DoomHaven]

The problem then being that for @Home subscribers (like myself), you can't block the addresses for @Home servers.

As an @Home subscriber, I am routinely probed at high (>1024) ports for TCP *and* UDP by the @Home *DNS* servers (either primary or secondary, forget which one). When I phoned to complain, here is the reasons I got for it:
1) They were verifying my connection.
2) They were checking to see if I had any illicit servers in that range (from UDP 4000-6000, got to make sure that I don't have a rogue licensing server there)
3) They were sending packet data to my cable modem, NOT my computer.

After I heard excuse number three, I realised the advanced level of stupid I was dealing with, and promptly disengaged the phone call.

Still leaving me with the original problem; that @Home's DNS servers are port probing me.

What are the legal ramifications of this? This is unwanted traffic; doesn't that constitute cracking? Isn't that illegal? Can I talk @Home to court for this?

Re:what about dynamic ip's?

[Erasmus+Darwin]

Using the IP and the time it occured it should be relatively easy for the ISP to hunt down whoever was using that IP at the given time.

Public Service Announcement: Log entries are usually recorded using your local time, so you should always include a mention of your timezone when mailing the ISP your logfiles.

As for dshield.org, according to this, their internal format doesn't bother with the time of the incident; only the date. This, unfortunately, means that dshield is pretty impotent when it comes to dealing with dynamic IPs. If I remember, I'll try getting in touch with the guy who's running it after the Slashdot tide dies down. If run properly, I could see this easily becoming the anti-script kiddie equivilant to SpamCop.

Re:Users Send in Their Logs?

[shepd]

>Is there anyway to make sure that this will not happen?

Well, since the faked logs are unlikely to be widespread (or even if they are, the "reverse attacked" IPs are all going to be different) you could simply have a maximum attack count per host. Say, if a host is reported by someone more than twice per day, no more attacks are counted against that machine from the other machine for that week.

While script kiddies are losers that want to ruin these datasets, they all have different people they'd like to see kicked (usually some kid at school, or their next door neighbour). Unless they all ganged up together (and, by definition of being a loner/cowboy cracker that virtually never happens) and attacked one person, there'd be no problem.

You could also set the DB up to auto-ignore entries from a host if they go over "magic" trigger levels. Say a host reports 100 attacks from random IPs a second for the past 24 hours. No way that would happen. Plonk them onto the month long blacklist-blacklist.

A nice idea would be a complaints procedure whereby a user who is repeatedly listed as running scanners could request dsheild to investigate. Maybe if only certain IPs (over similar physical localities) _ever_ reported any cracking attemps they'd consider putting the IP on some form of a "limited ban" list.

They could also implement some form of peer evaluation system where certain "good" or "longtime" users get "points" to boost or lower values on the list... Sorta like slashdot moderation. [Perhaps this isn't such a hot idea after all.]

Not only that, but IMHO it is truly impossible that multiple script kiddies across multiple subnets across the world are going to lie about the same IP. If slashdot.org's reporting is correct (that would be a near first), that is what dsheild wants to do. List users who abuse big subnets.

I'd see what dsheild actually says, but I can't even get past the 502 on their front page. Uggghh...

what about dynamic ip's?

[Patrix]

That may be all good and well (taking into consideration what others said already...)

But what about dynamic ip addresses? Most of the scans I get are from such connections... so if I would send my logs to dshields, they would log this ip as an attacker? unreasonable... that's like saying I'm the serial murderer because I sat in the same seat he did a few weeks ago in the bus...

Patrix.

Bad boys

[Ektanoor]

And what they will get with this? The Bad Boys List? Another base for Katz to write "Voices on Hellmouth, Part X"? Most script kiddies who do large scans are what they are - KIDS! So I don't see the line, except that this will be another base to harass teenagers who may later turn into something or somebody, but who are put in the corner right from start... Most of these kiddies are people eager to learn something and to get into the computer farmland. However, they go the script buzz harassment because of the mass media, Holywood and the urban legends poisoning their brains and telling them that being underground is the way for the hacker. And while there is some truth on this, it does not mean that script kiddie should harass 10000 users to reach illumination. On the contrary. But it is not this way that we will help kiddies to understand the wrong sides of playing scannings, exploits and other stuff. We will only marginalize them. Put them in a black list. It will look much like those black lists in the 30's, 50's, where very intelligent people was marginalized because it had some schizo on leftist ideas. That's what will happen.

We know how the hacker community was born. We know that we are not saints, but our sins do not give the right to someone to outlaw people, because there were/are mistakes being made. I myself broke/crack/hacked things 15 years ago, much the same way these kids play now. I know that some of my best colleagues and friends were among the darkest crackers at the beginning of the 90's. To be sincere with you people, I also passed a good time, somewhere in this world, as some "The BlackStar" on the dark underground of the hacker community (Hey I'm not hijacking names, I know that there are a few BlackStars and some are much more notorious and thougher than me, but I choose the name originally. In fact, I still use it but in other translation). Frankly to the script kiddies I would say one thing. Yeah it is great to scan and crack things. But that's child's play. Frankly people didn't worry too much about such kind of things. The worse is not when you destroy but when you build. Because it is much harder to do it. And the worst of all when you show that you're damn good at buidling something. That was the moment when bullets started to fly around, because for some people it is better to live on the swamp of ignorance and mischief. Cracking and breaking programs gives some knowledge, but you don't get far with it. Wanna be a hacker? A damn good hacker? Stop harassing your neighbour as he has ten other kiddies to deal with. Build something, help people. But beware, that's the time when other will start to really envy you and be scared of you... Knowledge is a dangerous weapon to live with.

I would act this way. Meanwhile, such lists, are only ground for a new "geek jerks" generation. buy a mug with a penguin, install Linux (after tenth attempt with some help from the side), and say you're in the community...

Re:Issues

[fishbowl]

> so when you move into a neighborhood, do you
>twist everyones doorknob and car door and try to
>open everyones window, just to "know
> what kind of security they have in place"?

Before I loan you any equipment, I'd like to know
that you keep your doors locked, etc.

And at a professional level, I like to make sure
that you can be a responsible caretaker for musical instruments, recording gear, etc.

As a neighbor, I wouldn't loan you any tools if I
thought you'd leave them out in the driveway, or in an unlocked garage.

How is this "twisting doorknobs and trying to open windows?"

DHCP ?

[London+Weatherman]

And what about things like DHCP? That too will make some poor sap unable to connect to some computers becuase some 3l33t hax0r was using the IP that he has now...

Re:@Home scanners...

[Marc+Boucher]

I'm connected with an ADSL modem on a Linux fw. I'm subscribed since last October and until early november I've encountered many NetBIOS scans from fellow clients of my ISP. After some investigation I've discovered that it was in fact caused by a virus/trojan named "W32/QAZ.worm" (for a description read this).
So, I will urge everyone to check their computer, mostly windoze users, for this kind of trojan. It's kind of sticky and fast breeding.

In other news....

[Restil]

November 28, 2000:

dshield.org, a new service designed to analyze firewall logs to look for suspicious activity, submitted its own firewall logs for analysis. To their great surprise, they appeared to be the subject of a giant DOS attack that lasted for 24 hours, as out of nowwhere, nearly 700,000 computers around the world accessed the website.
Due to the enourmous hits, the site was frequently unavailable for legitimate users. Officials suspect foul play, but have been unable to determine a motive for the unprecedented attack. "This is precisely the reason we developed this system; to expose the origins of potential attackers and allow the user to take appropriate action". When asked if it was possible they were simply the victim of the feared "slashdot effect", those allegations were denied. "As soon as our bandwidth returned to normal, we checked out this slashdot.org but saw no mention of the site anywhere on the front page. We checked the logs and found only one refrence from slashdot.org. Although it appears right before the attack began, we are certain that this is only a coincedence.

:)

-Restil

I wonder....

[Stavr0]

To: authorized-scan1.security.home.net
From: subscriber@home.net
Subject: Repeated attacks

Hello,
Your system scanners has repeatedly triggered alarms on my firewall. These are unauthorized access of my personal computer
Please terminate these scans immediately or I will have no other choice but to apply a $10 discount to my @Home bill for each security incident.
Yours truly, @home customer

From: @HOME tech support
To: @HOME customer
Subject: RE: Repeated attacks

Hhhhhhhhhhmmmmmmpfffffffffrrrrrrrr BHAHAHAHAHAHAH!!
Pay your fucking bill in full now or we'll TOSs ya.
@home techie
---
Inanimate Carbon Rod thanks you for your support. See you in 2004!

Re:Users Send in Their Logs?

[Shagg]

This is exactly why public blacklists never work. The entire system is based on the assumption that the data you're feeding into it is valid. However, in reality, you have no idea from who or where the data is coming from, nor do you have any way of telling how much of it has been tampered with other than basing it on the honor system. You can't assume that any of the data you receive is valid.

Re:@Home scanners...

[technos]

I used to see that a lot during LAN parties. The easiest way to correct the behavior is to scare them a little; Copying a little VB executable that shows a hard warning into Windows/Start Menu/Programs/Startup/ works on Win9x machines. NT machines are easier. smbclient -M helps them stop, as anyone stupid enough to enable SMB doesn't have a clue on how to disable the Messinger Service.

Re:Users Send in Their Logs?

[Tuzanor]

And what about things like DHCP? That too will make some poor sap unable to connect to some computers becuase some 3l33t hax0r was using the IP that he has now...

Re:Issues

[platypus]

Or that

nslookup slashdot.org
Server: localhost
Address: 127.0.0.1

Non-authoritative answer:
Name: slashdot.org
Address: 64.28.67.48

Heh,

root@localhost> nmap -S 64.28.67.48 -e eth0 -sS -sU -p 0-65535 www.nsa.gov www.fbi.gov www.cia.gov '*.*.*.*'

(hits enter end runs...)

For those which don't know and are to lazy to look up, an exerpt from nmap manpage:

-S
In some circumstances, nmap may not be able to
determine your source address ( nmap will tell you
if this is the case). In this situation, use -S
with your IP address (of the interface you wish to
send packets through).

Another possible use of this flag is to spoof the
scan to make the targets think that someone else is
scanning them. Imagine a company being repeatedly
port scanned by a competitor! This is not a sup
ported usage (or the main purpose) of this flag.
I just think it raises an interesting possibility
that people should be aware of before they go
accusing others of port scanning them. -e would
generally be required for this sort of usage.

making assumptions

[iomud]

this project makes too many assumptions that everyone uses their boxen to sit around and block packets consider that a 10.x.x.x ip address was in the top ten shouldnt that kind of data be parsed out? Along with the potential for faked logs and unreliable data sources, it was a good thought but implamentation requires a bit more effort than a lil perl script that sifts through my logs. I hope they consider the bulk per user submissions when accepting data so as to not have a poisoned database. What about people scanning their own machines for their own security's sake? Or someone who was authorized to do it via an aup if @home scans me because i signed the aup that makes it ok, so if my ip is in the @home network that should not be considered an attack or even an intrusive scan because it was authorized when i signed on for the service. You can see where this is going a whole lot of very subjective data...

most reports will be useless

[Barbarian]

Looking at my logs, generated by iplog2, I about 5% of the stuff is anything to worry about. The rest is:

@Home scanning for news servers.
an occasional ping
Napster.

I have my rules set up to the best of my (experienced) ability to eliminate irrelevant stuff. By default, most of the logging packages log everything (i.e. ftp-data connections).

If you ever read some of the newsgroups where the same users who will be using dshield.org post, you'll see that they don't know how to tell an attack from normal activity. Unforunately I can't find some of the usual "NOTICE TO WHOEVER PINGED ME: SEND ME A PING AGAIN AND I'M CALLING THE FBI AND GETTING YOU CUT OFF FROM AOL NOW LET'S BURN THE WITCH" postings today in athome.discussion-security, but they're usually there.

The "firewall" programs that most users use don't give them any help in telling the difference between a genuine 'attack' and between their web browser downloading a file using *gasp* an ftp-date connection.

just to point out why you're all over-reacting:

[perrin5]

On "first glance" at the comments, the top two comments I see are:
1) Logs can be forged
2) They're showing the @home portscanners, and reserved netblocks on their top ten (bwuhahaha, look at them, they're so stupid)

in response to 1) there are hundreds of ways any reasonably intelligent coder could check the submitted data, to make sure the logs make logical sense.

On top of that, the whole POINT of this service is to identify people scanning whole netblocks, and then submit that report to some other agency (who would then, what? Automatically say, "well, this site said so, let's unplug the little fucker" without doing their own background check? I think not). This is all about COMPILING data, to try to learn some really interesting things about who and how many netscans there are in a given day.

In my personal opinion, this is a far more useful and important security measure, than anything security focus, or any of the other SUBMISSION based security alert services give, because they're collecting TONS of data.

Think about it for a minute, if everyone starts submitting their logs, the minor forged log every now and again will be ignored by virtue of the immense amount of legitimate information streaming in...

on the second complaint: Get over yourselves! Just because you weren't ambitious enough to start a project like this, doesn't mean that you're smarter than they are. Don't you think they'll start to make corrections once they start analysing their data? It takes time, and submissions, people.

Just think about the potential security gain if this is successful. This is a user driven ORBS database, which could, with a little HELPFUL nudging be very useful for the security minded.

Re:Blocking @Home and RoadRunner from scanning

As am @Home subscriber, I am routinely probed at high (>1024) ports for TCP *and* UDP by the @Home *DNS* servers

I hate to break it to you, but that's not a portscan. If you are running a forwarding nameserver, put the following in your configuration and I bet anything that will go away:

query-source address * port 53;

Basically, you are sending them DNS requests from that port, they are replying, and you are denying the replies. This line makes all DNS queries come from the domain port. They will then shift their replies to be addressed to your domain port.

@Home does do portscans, yes. But not from their DNS servers. Back when I used to pay attention to such things, they quite annoyed me. But I just blocked 24.0.94.130 (authorized-scan.security.home.net) and they went away.

Re:Scanning from Private IP???

[ichimunki]

I'd suspect that this is a relic of test logs generated by running portscanners on a LAN to build up a record set for the database. They say the data is not very reliable yet.

Preventing fakes

[wowbagger]

Several posts have asked, "How can they prevent someone from faking the logs?"

It looks like you have to sign up with these guys, and get an ID from them, before you can contribute. Therefor, anybody wishing to poison the database must give a valid e-mail. Presumably, the only way an IP will get in the top ten is if MORE THAN ONE person reports it. Also, I'm sure that any e-mail address that is found to be submitting bogus data will be dropped in a heartbeat.

However, I'd want to put a little "noise filtering" on the scripts from my system: I frequently have www.grc.com scan my system to make sure nothing gets screwed up, and I'd hate to get Gibson Research in trouble. Also, on occasion one of my friends machines will trip my firewall.

What we need is for this data to be collected and the offending ISPs made to solve the problem. Too many ISPs have the attitude of "not my yob": unless you grab their testicles with a rusty pair of pliers and threaten to have your laywer twist if they don't take action, they do nothing.

Re:Preventing fakes

[wowbagger]

Hey, I never said a valid e-mail address was a perfect defense against forged data. However, I'd hope they would a) consider any @hotmail.com, @altavista.com, or @yahoo.com address with less trust than a more verifiable address, and b) require several confirming reports, from several IP addresses (even several IP address blocks), before they really got mediaval on them.

As for the comment about my suggested solution being "a bit extreme": no. A bit extreme would involve molten lead, a funnel, and the services of a proctologist.

That would only be a bit extreme.

Re:Users Send in Their Logs?

[ethereal]

A public blacklist would work if you have enough contributors that you can verify that many of them, including some trusted contributors, feel that the IP in question should be blacklisted. If you can have a reasonable belief that the majority of data on the system is valid, then the blacklist will be more-or-less effective.

For example, how many people have been framed in such a manner onto the RBL? Sure, there are plenty of cases of people who feel that they shouldn't be on the RBL because they weren't really spamming. But how often do several people conspire to accuse an IP of being a spammer or an unsecured relay just to get back at that IP? Not too often, I imagine.

Just like any online collaboration, from the RBL to online gaming matchups to /., you can gauge the reliability of the community's input based on a trust rating that you assign to contributors based on their past performance.

Issues

[Phoz]

Am I the only one concerned by this?

A few issues comes to mind:

Forged logs
It's very trivial to fake logs to make it appear
that a attack originated from a specific source.

Innocent traffic
I can't count the times I've been wrongly accused of
"port hunting" after looking for a service on a friends box.
Even a single ping can sometimes trigger a sites IDS
and mark my IP as a threath.

This may be a good idea, but without at least
some background checking and auditing
of submitted logs, I wouldn't trust it one bit.

Re:Issues

I can count the number of times I've been accused... 0. I don't just ping em, I nmap em. I've sat back and just nmaped bunches of sites just to see what they have open. Hell I almost had an account at comfedbank.com until I nmapped there web server and saw they were running telnet. Damn straight I'll nmap a banks web server, it's my business to know what kind of security a bank is going to have in place.

Re:8080 - wingate

[Barbarian]

They're looking for copies of "wingate" which are a popular proxy on private systems and which keep having new holes discovered.

What about BlackICE?

[sconeu]

The summary said that ZoneAlarm logs can be posted. What about BlackICE Defender?

/. effect

[armypuke]

http://dshield.org

Sorry, had to take the site temporarily down due to high traffic. Please try again tomorrow

ummm.... yeah...

Re:They forgot one letter...

[Anarchos]

Indeed, slashdotting a site is a direct DOS attack, and slashdot should start taking some responsibility for causing so many sites to go offline due to the spontaneous bandwidth increase of the slashdot effect. IMO, every site linked by slashdot should be given the right to deny such a link, and if the site accepts the link, should be offered time to get a mirror up or increase bandwidth. Without such a warning, linking to a small-medium business or personal homepage is the equivalent of tossing a rabbit into a cage of hungry lions and not feeling responsible for the rabbit's instant death.

Is it worth the time?

[kaos_]

I used to report any sort of scans to my network to CERT/SANS, but at some point there were just too many 'attacks' to keep track of. Any reports sent to the administrator(s) of the domain/IP usually resulted in either no response or "we'll look into it".

The sites I worked at got portscanned at least twice a day, usually from a cable modem user running Redhat Linux (easily found out by telnetting back to their IP, which has almost every service still enabled). These are script kiddies, and really I don't think I should waste time on someone who downloaded nmap.

A smart cracker won't blindly portscan your machine, because that pretty much gives him (and his skill) away. I think portscans are a fact of life. The ones to worry about are the quiet crackers, who only give away few signs that they are attempting an attack.

What is more interesting to me is the signature of attacks. I don't think analysis of this sort can be done by looking at an IP, as you may see a pattern in your firewall logs that involve many IPs or spans many days. The trick is putting all of the information together in some sort of analytical way to determine if it is a threat or not.

Users Send in Their Logs?

[Lostman]

Now, this might strike ONLY me as strange but the service are relying on users to send in their logs?

The reason this upsets me (at least SLIGHTLY) is that logs can ALWAYS be faked. That, and get a few different users around the country to send in "altered" logs and some poor @home guy could be out of his account.

Is there anyway to make sure that this will not happen?

Re:Users Send in Their Logs?

[Foogle]

It most certainly could.

Blocking @Home and RoadRunner from scanning

[preed-man]

Great... this information could be used to tune one's own firewall to block (unwanted and nosy) portscans from @Home and RoadRunner...

Charter cable here hasn't started doing that (yet), but if I were an @Home/RR customer, that's exactly what I'd do... 'cause you *know* what would happen if we tried to pr0tsc@n them.

Re:Blocking @Home and RoadRunner from scanning

[mcrbids]

scanner=[ip for @home scanner computers];
ipaddress=[YOUR IP HERE];

ipchains -s $scanner -p tcp -d $ipaddress 4000:6000 -j DENY

Wouldn't that do the trick? (assuming you have a Linux firewall) Better yet, put the -l (log) tag at the end, so if you DO decide to sue, you at least can prove the "hack attempts" made against your machine...

cat /var/log/messages > /dev/lp0

I have a Pacific Bell static DSL and while the servers they provide crash constantly, making me use my firewall box for most of my services, (DNS, E-mail, etc) I've had NO TROUBLE AT ALL with stuff like this. They really and truly DON'T SEEM TO CARE what I do! (and if they did, they'd lose my business in a flat second because their services are so horrible)

(But don't bother trying to call them with a problem - hold times > 2 hours!)

Like most, I get attacks daily - Netbios 139 being the most frequent, it seems. Since I started dropping ALL icmp packets to/from my public interface, port scans have all but ceased.

-Ben

I have to laugh...

[Phaid]

From the page:

27/Nov/2000 16:00
Current Most Active
Attacking IP: 24.0.94.130

Then...

nslookup 24.0.94.130
Server: localhost
Address: 127.0.0.1

Name: authorized-scan.security.home.net
Address: 24.0.94.130


Ohh yeah, this is useful information :)

Re:I have to laugh...

[theCoder]

Ohh yeah, this is useful information :)

Except, who authorized it? Did the people it was scanning authorize it? It probably has a (mostly) innocent purpose, but the machine's name doesn't necessairly mean anything :)

Personally, I think that it's still useful information to know, say, if you don't want home.net scanning your box.

Who are these folks?

[sherpajohn]

...seems they are called Euclidian Consulting, and offer such services as, hmm, this is odd, the DNS for this site is dns.homepc.org, and oh, wait, that's registered to the same personas euclidian! hmmm, that coupled with the @home port scans being #1 on this list leads to the conclusion, all this is being run out of someone's basement, using an @home connection. Wow, and here I was waiting to save up enough money to buy a real "business" network, but heck, I can just use my cable connection to run my soon to IPO thingy...

Going on means going far
Going far means returning

Slashdotted, here's the PERL script for grokking

[Y2K+is+bogus]

#!/usr/bin/perl

# Linux DShield Client. V 0.0.2
#
# This script will extract relevant lines form the log file and
# send them to 'report@dshield.org'.
#
# It should run from cron regularly to look for new entries. See
# 'parameters' for more details.
#
# Parameters:
#
$userid="0"; # replace with your userid if you have one.
$email="none"; # replace with your e-mail address.
$to='report@dshield.org'; # send log to this address. Change for testing.
$local_log='/tmp/dshield.log'; # keep a local copy here for revie

$filter="input DENY"; # we only care for lines that contain this line.
$state="/var/tmp/dshield"; # file that is used to store length of log file.
$logfile="/var/log/messages"; # location of log file.

# setup a halfway safe /tmp file
srand(time);
$tmp="/tmp/dshield".$$.rand(1000);

$last_count=0;

#
# the 'state' file contains the length of the log file
# in lines the last time the script ran.
#

if ( -e $state ) {
$last_count=`cat $state`;
chmod $last_count;
}

#
# get the current length of the logfile
#

$length=`wc -l $logfile | sed 's/[^0-9]//g'`;
chomp $length;

#
# if the log file size 'shrank', we assume that the entire file
# is relevant. This will not catch log rotations where the
# log file grows rapidly.
#

$last_count=0 if ($length<$last_count);

$count=$length-$last_count;

#
# remove stale tmp files. This should never happen, as
# the temp file name is generated randomly
if (-s $tmp) {
system ("rm $tmp");
}

#
# this line 'does the work' of extracting relevant lines
#

system("tail -$count $logfile | grep '$filter' > $tmp");

# send the file. Only bother if there is something to
# report.

if ( -s $tmp) {
open (MAIL,"| /usr/sbin/sendmail -t -oi");
print MAIL "To: $to\n";
print MAIL "From: $email\n";
print MAIL "Subject: FORMAT LINUX USERID $userid\n\n";
print MAIL `cat $tmp`;
close MAIL;
if ($local) {
open (MAIL,"> $local");
print MAIL "To: $to\n";
print MAIL "From: $email\n";
print MAIL "Subject: FORMAT LINUX USERID $userid\n\n";
print MAIL `cat $tmp`;
close MAIL;
}
}

#
# cleanup the temp file and write a new state file
#

system ("rm $tmp");
system ("echo $length > $state");

DOS

[sckeener]

I have a suggestion for a poll. (yes, I know this isn't the correct place to submit this, but this article inspired it.)

Have you ever submitted an article about a company you hate just to create a /. effect?

Yes, I'm satan spawn.
No, I'm a virgin or
No, I was with CowboyNeal at a gay bar.

I like to read the articles before posting. Unfortunately it's something I rarely get to do because of the herd affect of /.

got to love /. !!

Re:Wait! Does this mean routers need privacy polic

[Dysan2k]

Heck no. Firstly, if they're actually trying to make lists of times/dates/IP's that the kiddies are scanning, then Cool! They should keep their database private for sure, but unless you run the ISP, you won't know WHO is on which IP. Personally, I'd LOVE to see some people getting fined for portscanning. A couple of grand per incident. Don't think so? Picture this. I walk through your neighborhood, and stop at each house trying to open doors and windows. Occasionally, I may use a special tool to open a door or window. If I'm doing that to your house, damn right you're going to want me arrested. Same situation, period!

Re:Slashdotted, here's the PERL script for grokkin

Hmm. Actually, looking again, there's a much more serious reason I'd call it a crappy Perl script.

$userid="0";
srand(time);
$tmp="/tmp/dshield".$$.rand(1000); if (-s $tmp) {
sy stem (rm $tmp");
}
system("tail -$count $logfile | grep '$filter' > $tmp");

So...in other words, while running as root, it picks a filename based solely on its PID (easy to guess) and the current time (easy to guess, especially since they recommend running it from cron at scheduled times). They remove this file but then tail into it blindly...if you are quick about it (inbetween the remove and tail), you can create a symlink there and get root to overwrite any file on the system. Bugtraq advisories are regularly issued about this type of thing.

They also give you a false sense of security in that there is a place to fill out a userid, but it does not use it for anything but the subject of an email. So it always runs as root, though if you quickly configured it you might think otherwise.

Re:@Home scanners...

[Sticky+Toejam]

Map their printer and print out:

YOU SCAN ME ONE MORE TIME AND I'LL COME TO YOUR HOUSE, RIP OUT YOUR CPU, AND SHOVE IT DOWN YOUR DOG'S THROAT

Or something similar. If your real lucky you'll see the results on their webcam. :-)

Re:Scanning from Private IP???

[ichimunki]

I definitely agree that every firewall should include directions to drop packets that appear to be from "outside" that have addresses in the 10.x.x.x range, as well as the other ranges. That's a big part of what these addresses are for, assisting in clearly demarcating between internal addresses and external addresses. And the RFC, if my recollection is correct, suggests that internet routers drop such packets. So while they shouldn't be getting through, they might due to someone else being negligent. If these do show up in your incoming traffic, it sounds like something to take to people upstream-- since they aren't supposed to be forwarding that stuff, since it's either there by accident, or is a deliberate spoof. But in the case of this particular DB, I think it has more to do with the source of the seed data.

@Home scanners...

[Ergo2000]

One thing I noticed on the top 10 "Most Wanted" is 24.0.94.130 and 24.0.0.203 : Both of these are official @Home scanner IPs that they use to scan subscribers PCs (i.e. only people in the @Home network should be scanned by these addresses). 24.0.0.203 usually is used to scan for NNTP servers (I get scanned every two hours pretty much to the minute) which was put into place after the big Usenet threats against @Home. 24.0.94.130 scans clients for most known trojans and backdoors. If they find either they, as far as I have heard, shut down your connection until you fix it and contact them when they'll recheck to verify. Great service to avoid people being their worst enemy.

As a sidenote I previously disagreed with someone regarding whether there is a lot of NetBIOS traffic on @Home. At the time I claimed that I didn't get scanned for NetBIOS traffic. Turns out that it was the region I was in previously (Rogers@Home) where they filter out all NetBIOS traffic. Now that I'm in a different region (Cogeco@Home) I find that I'm getting NetBIOS scanned all the time. Out of curiousity occassionally I'll do a \\IP.IP.IP.IP back and find someone sharing their C, D, etc. drives. I don't know if it's an owned machine, or someone with a honeypot, but it's pretty funny nonetheless.

They forgot one letter...

[pen]

They forgot one letter, the letter p. Namely, they forgot to make the MySQL connections persistent.

Instead of mysql_connect(), they should've used mysql_pconnect().

--