Collecting Logs from Firewalls to Detect Crackers

Anonymous Coward writes "There is now a site dshield.org which collects firewall log excerpts to summarize and organize them in a database. The point is to single out script kiddies that scan large IP segments. It could all end up saving ISPs a lot of time running after / responding to gazillions of reports from users. Interesting: Right now, IPs used by @Home and RoadRunner to scan their users top the list. The site is only up for a couple of days. but already quite a bid of data has been collected. There is a little perl script that will automatically send Linux kernel log excerpts (ipchains style) to the sytem. ZoneAlarm logs can be processed as well."

Re:@Home scanners...

[0xA]

The reason you are you get so much NETBIOS traffic has nothing to do with being scanned.

When you enable a Windows machine to share resources it needs to decide what machine on the network is the master browser (A machine that contains a table of all of the NETBIOS machines on the network).

When the machine starts it sends out some packets to decide who the master browser is. If nobody replies or if the present master browser is of a lower OS level than your machine, it will start an election to determine who the new master browser is.

I am an @home subscriber in Calgary (shaw @home). I get this stuff bouncing off of my firewall all the time.

Note: Please don't moderate as Funny. Yeah I know, it's rediculous but its' also how Windows OSs actually do this.

security hole?

[aozilla]

Gee, these are the people who are worried about people scanning them, so they send their logs about the scan to a site that doesn't even have enough money to withstand the slashdot effect? Can you say stooooooooopid?

If only it were filtered

[Phaid]

This is unfortunately going to become completely useless really fast, unless the people running the site take some active measures.

At first glance, of the top 10 reported "attackers", one was an authorized security scan from home.com, two were 10.x.x.x addresses, and one was a 169.254 Windows AutoIP non-routeable address (and no doubt the port that address was "attacking" was UDP port 53).

When all the world's cable modem users are encouraged to buy these "personal firewalls" which do nothing but trigger false alarms to show how "useful" they are, sites like this can't help but be drowned in a sea of noise.

Re:If only it were filtered

[FeeDBaCK]

Those personal firewalls quite frankly piss me off. Yes, you are going to get scanned at some point by somebody trying to exploit something. Most people who run a personal firewall generally do not have much knowledge about network security, or else they would be using a better solution. These personal firewalls do nothing more than scare the user into thinking he is constantly being attacked by the 31337 h4x0rz all over the Internet that are out to steal his goatsex porn on his computer and hack into his bank account to buy a new Ferrari with his account number. There is quite a bit of useful information that can be gathered from these firewalls, but the people that they are marketed towards are not the people who would understand what any of the data means. I would think it would be much better if the firewall designers made it easier to configure. Base the firewalls on service names instead of ports... things like that. I have friends that are on cable who call me or e-mail me almost constantly with snippets from their logs of their personal firewall asking wether or not something is an attack. I would say that almost everything I have ever recieved has been valid data from a host that they were interacting with...

Re:If only it were filtered

[Ralph+Wiggam]

Personal firewalls are an obvious evolution from mainstream virus protection software. How much money has AV software made? I would guess somewhere in the hundreds of millions. How many viruses are really out there in the wild? A few dozen, tops. The only two that have caused real damage in the past few years have been email script viruses that AV packages didn't catch. So now everyone owns at least one AV package and those big companies need to make more money. So they make people think that evil "hackers" are out there trying to steal your financial records and the pictures of your nephew and that super 31337 Budweiser frogs screensaver you have. Sold. My defense to such things is to just have an uninteresting life and very little money. That will stop them every time.

-B

Heh, scoreboard

[mwalker]

It's a scoreboard for script kiddies!

They're gonna spend all day trying to get their box to the top of "most active attacking IP".
Like getting a slashdot fp...

Re:Heh, scoreboard

[Bob+McCown]

It might keep them out of our hair, though. Maybe they'd be too busy attacking each other to worry about the big sites...

I just had a thought (Yea, I know, first time for everything). Would these very same script kiddies on cablemodems be called @homeboys?

Honeypots

[bl968]

InfoWorld had an interesting article on the success of using easy to hack systems to trap and analyze hacker attacks

Another article entitled Honey pot networks can gather evidence for catching and prosecuting hackers. is also on InfoWorld

The site these articles are based off of is located here. There are a lot of interesting whitepapers and other materials including the scan of the month to enthrall the slashdot crowds

Re:Is this really necessary?

[FeeDBaCK]

Quite honestly, this is why Managed Security Providers are becoming more popular. You pay someone else to monitor your company for attacks. Most companies cannot afford to staff their own network security team to audit security on a regular basis and to watch logs in real-time.

Re:Blocking @Home and RoadRunner from scanning

[DoomHaven]

The problem then being that for @Home subscribers (like myself), you can't block the addresses for @Home servers.

As an @Home subscriber, I am routinely probed at high (>1024) ports for TCP *and* UDP by the @Home *DNS* servers (either primary or secondary, forget which one). When I phoned to complain, here is the reasons I got for it:
1) They were verifying my connection.
2) They were checking to see if I had any illicit servers in that range (from UDP 4000-6000, got to make sure that I don't have a rogue licensing server there)
3) They were sending packet data to my cable modem, NOT my computer.

After I heard excuse number three, I realised the advanced level of stupid I was dealing with, and promptly disengaged the phone call.

Still leaving me with the original problem; that @Home's DNS servers are port probing me.

What are the legal ramifications of this? This is unwanted traffic; doesn't that constitute cracking? Isn't that illegal? Can I talk @Home to court for this?

Re:Users Send in Their Logs?

[shepd]

>Is there anyway to make sure that this will not happen?

Well, since the faked logs are unlikely to be widespread (or even if they are, the "reverse attacked" IPs are all going to be different) you could simply have a maximum attack count per host. Say, if a host is reported by someone more than twice per day, no more attacks are counted against that machine from the other machine for that week.

While script kiddies are losers that want to ruin these datasets, they all have different people they'd like to see kicked (usually some kid at school, or their next door neighbour). Unless they all ganged up together (and, by definition of being a loner/cowboy cracker that virtually never happens) and attacked one person, there'd be no problem.

You could also set the DB up to auto-ignore entries from a host if they go over "magic" trigger levels. Say a host reports 100 attacks from random IPs a second for the past 24 hours. No way that would happen. Plonk them onto the month long blacklist-blacklist.

A nice idea would be a complaints procedure whereby a user who is repeatedly listed as running scanners could request dsheild to investigate. Maybe if only certain IPs (over similar physical localities) _ever_ reported any cracking attemps they'd consider putting the IP on some form of a "limited ban" list.

They could also implement some form of peer evaluation system where certain "good" or "longtime" users get "points" to boost or lower values on the list... Sorta like slashdot moderation. [Perhaps this isn't such a hot idea after all.]

Not only that, but IMHO it is truly impossible that multiple script kiddies across multiple subnets across the world are going to lie about the same IP. If slashdot.org's reporting is correct (that would be a near first), that is what dsheild wants to do. List users who abuse big subnets.

I'd see what dsheild actually says, but I can't even get past the 502 on their front page. Uggghh...

what about dynamic ip's?

[Patrix]

That may be all good and well (taking into consideration what others said already...)

But what about dynamic ip addresses? Most of the scans I get are from such connections... so if I would send my logs to dshields, they would log this ip as an attacker? unreasonable... that's like saying I'm the serial murderer because I sat in the same seat he did a few weeks ago in the bus...

Patrix.

Re:@Home scanners...

[Marc+Boucher]

I'm connected with an ADSL modem on a Linux fw. I'm subscribed since last October and until early november I've encountered many NetBIOS scans from fellow clients of my ISP. After some investigation I've discovered that it was in fact caused by a virus/trojan named "W32/QAZ.worm" (for a description read this).
So, I will urge everyone to check their computer, mostly windoze users, for this kind of trojan. It's kind of sticky and fast breeding.

In other news....

[Restil]

November 28, 2000:

dshield.org, a new service designed to analyze firewall logs to look for suspicious activity, submitted its own firewall logs for analysis. To their great surprise, they appeared to be the subject of a giant DOS attack that lasted for 24 hours, as out of nowwhere, nearly 700,000 computers around the world accessed the website.
Due to the enourmous hits, the site was frequently unavailable for legitimate users. Officials suspect foul play, but have been unable to determine a motive for the unprecedented attack. "This is precisely the reason we developed this system; to expose the origins of potential attackers and allow the user to take appropriate action". When asked if it was possible they were simply the victim of the feared "slashdot effect", those allegations were denied. "As soon as our bandwidth returned to normal, we checked out this slashdot.org but saw no mention of the site anywhere on the front page. We checked the logs and found only one refrence from slashdot.org. Although it appears right before the attack began, we are certain that this is only a coincedence.

:)

-Restil

I wonder....

[Stavr0]

To: authorized-scan1.security.home.net
From: subscriber@home.net
Subject: Repeated attacks

Hello,
Your system scanners has repeatedly triggered alarms on my firewall. These are unauthorized access of my personal computer
Please terminate these scans immediately or I will have no other choice but to apply a $10 discount to my @Home bill for each security incident.
Yours truly, @home customer

From: @HOME tech support
To: @HOME customer
Subject: RE: Repeated attacks

Hhhhhhhhhhmmmmmmpfffffffffrrrrrrrr BHAHAHAHAHAHAH!!
Pay your fucking bill in full now or we'll TOSs ya.
@home techie
---
Inanimate Carbon Rod thanks you for your support. See you in 2004!

Re:@Home scanners...

[technos]

I used to see that a lot during LAN parties. The easiest way to correct the behavior is to scare them a little; Copying a little VB executable that shows a hard warning into Windows/Start Menu/Programs/Startup/ works on Win9x machines. NT machines are easier. smbclient -M helps them stop, as anyone stupid enough to enable SMB doesn't have a clue on how to disable the Messinger Service.

Re:Issues

[platypus]

Or that

nslookup slashdot.org
Server: localhost
Address: 127.0.0.1

Non-authoritative answer:
Name: slashdot.org
Address: 64.28.67.48

Heh,

root@localhost> nmap -S 64.28.67.48 -e eth0 -sS -sU -p 0-65535 www.nsa.gov www.fbi.gov www.cia.gov '*.*.*.*'

(hits enter end runs...)

For those which don't know and are to lazy to look up, an exerpt from nmap manpage:

-S
In some circumstances, nmap may not be able to
determine your source address ( nmap will tell you
if this is the case). In this situation, use -S
with your IP address (of the interface you wish to
send packets through).

Another possible use of this flag is to spoof the
scan to make the targets think that someone else is
scanning them. Imagine a company being repeatedly
port scanned by a competitor! This is not a sup
ported usage (or the main purpose) of this flag.
I just think it raises an interesting possibility
that people should be aware of before they go
accusing others of port scanning them. -e would
generally be required for this sort of usage.

most reports will be useless

[Barbarian]

Looking at my logs, generated by iplog2, I about 5% of the stuff is anything to worry about. The rest is:

@Home scanning for news servers.
an occasional ping
Napster.

I have my rules set up to the best of my (experienced) ability to eliminate irrelevant stuff. By default, most of the logging packages log everything (i.e. ftp-data connections).

If you ever read some of the newsgroups where the same users who will be using dshield.org post, you'll see that they don't know how to tell an attack from normal activity. Unforunately I can't find some of the usual "NOTICE TO WHOEVER PINGED ME: SEND ME A PING AGAIN AND I'M CALLING THE FBI AND GETTING YOU CUT OFF FROM AOL NOW LET'S BURN THE WITCH" postings today in athome.discussion-security, but they're usually there.

The "firewall" programs that most users use don't give them any help in telling the difference between a genuine 'attack' and between their web browser downloading a file using *gasp* an ftp-date connection.

Re:Scanning from Private IP???

[ichimunki]

I'd suspect that this is a relic of test logs generated by running portscanners on a LAN to build up a record set for the database. They say the data is not very reliable yet.

Preventing fakes

[wowbagger]

Several posts have asked, "How can they prevent someone from faking the logs?"

It looks like you have to sign up with these guys, and get an ID from them, before you can contribute. Therefor, anybody wishing to poison the database must give a valid e-mail. Presumably, the only way an IP will get in the top ten is if MORE THAN ONE person reports it. Also, I'm sure that any e-mail address that is found to be submitting bogus data will be dropped in a heartbeat.

However, I'd want to put a little "noise filtering" on the scripts from my system: I frequently have www.grc.com scan my system to make sure nothing gets screwed up, and I'd hate to get Gibson Research in trouble. Also, on occasion one of my friends machines will trip my firewall.

What we need is for this data to be collected and the offending ISPs made to solve the problem. Too many ISPs have the attitude of "not my yob": unless you grab their testicles with a rusty pair of pliers and threaten to have your laywer twist if they don't take action, they do nothing.

Re:Preventing fakes

[wowbagger]

Hey, I never said a valid e-mail address was a perfect defense against forged data. However, I'd hope they would a) consider any @hotmail.com, @altavista.com, or @yahoo.com address with less trust than a more verifiable address, and b) require several confirming reports, from several IP addresses (even several IP address blocks), before they really got mediaval on them.

As for the comment about my suggested solution being "a bit extreme": no. A bit extreme would involve molten lead, a funnel, and the services of a proctologist.

That would only be a bit extreme.

Issues

[Phoz]

Am I the only one concerned by this?

A few issues comes to mind:

Forged logs
It's very trivial to fake logs to make it appear
that a attack originated from a specific source.

Innocent traffic
I can't count the times I've been wrongly accused of
"port hunting" after looking for a service on a friends box.
Even a single ping can sometimes trigger a sites IDS
and mark my IP as a threath.

This may be a good idea, but without at least
some background checking and auditing
of submitted logs, I wouldn't trust it one bit.

Users Send in Their Logs?

[Lostman]

Now, this might strike ONLY me as strange but the service are relying on users to send in their logs?

The reason this upsets me (at least SLIGHTLY) is that logs can ALWAYS be faked. That, and get a few different users around the country to send in "altered" logs and some poor @home guy could be out of his account.

Is there anyway to make sure that this will not happen?

I have to laugh...

[Phaid]

From the page:

27/Nov/2000 16:00
Current Most Active
Attacking IP: 24.0.94.130

Then...

nslookup 24.0.94.130
Server: localhost
Address: 127.0.0.1

Name: authorized-scan.security.home.net
Address: 24.0.94.130


Ohh yeah, this is useful information :)

Slashdotted, here's the PERL script for grokking

[Y2K+is+bogus]

#!/usr/bin/perl

# Linux DShield Client. V 0.0.2
#
# This script will extract relevant lines form the log file and
# send them to 'report@dshield.org'.
#
# It should run from cron regularly to look for new entries. See
# 'parameters' for more details.
#
# Parameters:
#
$userid="0"; # replace with your userid if you have one.
$email="none"; # replace with your e-mail address.
$to='report@dshield.org'; # send log to this address. Change for testing.
$local_log='/tmp/dshield.log'; # keep a local copy here for revie

$filter="input DENY"; # we only care for lines that contain this line.
$state="/var/tmp/dshield"; # file that is used to store length of log file.
$logfile="/var/log/messages"; # location of log file.

# setup a halfway safe /tmp file
srand(time);
$tmp="/tmp/dshield".$$.rand(1000);

$last_count=0;

#
# the 'state' file contains the length of the log file
# in lines the last time the script ran.
#

if ( -e $state ) {
$last_count=`cat $state`;
chmod $last_count;
}

#
# get the current length of the logfile
#

$length=`wc -l $logfile | sed 's/[^0-9]//g'`;
chomp $length;

#
# if the log file size 'shrank', we assume that the entire file
# is relevant. This will not catch log rotations where the
# log file grows rapidly.
#

$last_count=0 if ($length<$last_count);

$count=$length-$last_count;

#
# remove stale tmp files. This should never happen, as
# the temp file name is generated randomly
if (-s $tmp) {
system ("rm $tmp");
}

#
# this line 'does the work' of extracting relevant lines
#

system("tail -$count $logfile | grep '$filter' > $tmp");

# send the file. Only bother if there is something to
# report.

if ( -s $tmp) {
open (MAIL,"| /usr/sbin/sendmail -t -oi");
print MAIL "To: $to\n";
print MAIL "From: $email\n";
print MAIL "Subject: FORMAT LINUX USERID $userid\n\n";
print MAIL `cat $tmp`;
close MAIL;
if ($local) {
open (MAIL,"> $local");
print MAIL "To: $to\n";
print MAIL "From: $email\n";
print MAIL "Subject: FORMAT LINUX USERID $userid\n\n";
print MAIL `cat $tmp`;
close MAIL;
}
}

#
# cleanup the temp file and write a new state file
#

system ("rm $tmp");
system ("echo $length > $state");

DOS

[sckeener]

I have a suggestion for a poll. (yes, I know this isn't the correct place to submit this, but this article inspired it.)

Have you ever submitted an article about a company you hate just to create a /. effect?

Yes, I'm satan spawn.
No, I'm a virgin or
No, I was with CowboyNeal at a gay bar.

I like to read the articles before posting. Unfortunately it's something I rarely get to do because of the herd affect of /.

got to love /. !!

Re:@Home scanners...

[Sticky+Toejam]

Map their printer and print out:

YOU SCAN ME ONE MORE TIME AND I'LL COME TO YOUR HOUSE, RIP OUT YOUR CPU, AND SHOVE IT DOWN YOUR DOG'S THROAT

Or something similar. If your real lucky you'll see the results on their webcam. :-)

@Home scanners...

[Ergo2000]

One thing I noticed on the top 10 "Most Wanted" is 24.0.94.130 and 24.0.0.203 : Both of these are official @Home scanner IPs that they use to scan subscribers PCs (i.e. only people in the @Home network should be scanned by these addresses). 24.0.0.203 usually is used to scan for NNTP servers (I get scanned every two hours pretty much to the minute) which was put into place after the big Usenet threats against @Home. 24.0.94.130 scans clients for most known trojans and backdoors. If they find either they, as far as I have heard, shut down your connection until you fix it and contact them when they'll recheck to verify. Great service to avoid people being their worst enemy.

As a sidenote I previously disagreed with someone regarding whether there is a lot of NetBIOS traffic on @Home. At the time I claimed that I didn't get scanned for NetBIOS traffic. Turns out that it was the region I was in previously (Rogers@Home) where they filter out all NetBIOS traffic. Now that I'm in a different region (Cogeco@Home) I find that I'm getting NetBIOS scanned all the time. Out of curiousity occassionally I'll do a \\IP.IP.IP.IP back and find someone sharing their C, D, etc. drives. I don't know if it's an owned machine, or someone with a honeypot, but it's pretty funny nonetheless.