Slashdot Mirror

← Back to Stories (view on slashdot.org)

Collecting Logs from Firewalls to Detect Crackers

Posted by ryuzaki0 on from the interesting-ideas dept.

Anonymous Coward writes "There is now a site dshield.org which collects firewall log excerpts to summarize and organize them in a database. The point is to single out script kiddies that scan large IP segments. It could all end up saving ISPs a lot of time running after / responding to gazillions of reports from users. Interesting: Right now, IPs used by @Home and RoadRunner to scan their users top the list. The site is only up for a couple of days. but already quite a bid of data has been collected. There is a little perl script that will automatically send Linux kernel log excerpts (ipchains style) to the sytem. ZoneAlarm logs can be processed as well."

12 of 138 comments (clear)

  1. Re:@Home scanners... by 0xA · · Score: 5

    The reason you are you get so much NETBIOS traffic has nothing to do with being scanned.

    When you enable a Windows machine to share resources it needs to decide what machine on the network is the master browser (A machine that contains a table of all of the NETBIOS machines on the network).

    When the machine starts it sends out some packets to decide who the master browser is. If nobody replies or if the present master browser is of a lower OS level than your machine, it will start an election to determine who the new master browser is.

    I am an @home subscriber in Calgary (shaw @home). I get this stuff bouncing off of my firewall all the time.

    Note: Please don't moderate as Funny. Yeah I know, it's rediculous but its' also how Windows OSs actually do this.

  2. If only it were filtered by Phaid · · Score: 5

    This is unfortunately going to become completely useless really fast, unless the people running the site take some active measures.

    At first glance, of the top 10 reported "attackers", one was an authorized security scan from home.com, two were 10.x.x.x addresses, and one was a 169.254 Windows AutoIP non-routeable address (and no doubt the port that address was "attacking" was UDP port 53).

    When all the world's cable modem users are encouraged to buy these "personal firewalls" which do nothing but trigger false alarms to show how "useful" they are, sites like this can't help but be drowned in a sea of noise.

  3. Honeypots by bl968 · · Score: 5

    InfoWorld had an interesting article on the success of using easy to hack systems to trap and analyze hacker attacks

    Another article entitled Honey pot networks can gather evidence for catching and prosecuting hackers. is also on InfoWorld

    The site these articles are based off of is located here. There are a lot of interesting whitepapers and other materials including the scan of the month to enthrall the slashdot crowds

    --
    "GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
  4. Re:Users Send in Their Logs? by shepd · · Score: 4

    >Is there anyway to make sure that this will not happen?

    Well, since the faked logs are unlikely to be widespread (or even if they are, the "reverse attacked" IPs are all going to be different) you could simply have a maximum attack count per host. Say, if a host is reported by someone more than twice per day, no more attacks are counted against that machine from the other machine for that week.

    While script kiddies are losers that want to ruin these datasets, they all have different people they'd like to see kicked (usually some kid at school, or their next door neighbour). Unless they all ganged up together (and, by definition of being a loner/cowboy cracker that virtually never happens) and attacked one person, there'd be no problem.

    You could also set the DB up to auto-ignore entries from a host if they go over "magic" trigger levels. Say a host reports 100 attacks from random IPs a second for the past 24 hours. No way that would happen. Plonk them onto the month long blacklist-blacklist.

    A nice idea would be a complaints procedure whereby a user who is repeatedly listed as running scanners could request dsheild to investigate. Maybe if only certain IPs (over similar physical localities) _ever_ reported any cracking attemps they'd consider putting the IP on some form of a "limited ban" list.

    They could also implement some form of peer evaluation system where certain "good" or "longtime" users get "points" to boost or lower values on the list... Sorta like slashdot moderation. [Perhaps this isn't such a hot idea after all.]

    Not only that, but IMHO it is truly impossible that multiple script kiddies across multiple subnets across the world are going to lie about the same IP. If slashdot.org's reporting is correct (that would be a near first), that is what dsheild wants to do. List users who abuse big subnets.

    I'd see what dsheild actually says, but I can't even get past the 502 on their front page. Uggghh...

    --
    If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
  5. what about dynamic ip's? by Patrix · · Score: 5

    That may be all good and well (taking into consideration what others said already...)

    But what about dynamic ip addresses? Most of the scans I get are from such connections... so if I would send my logs to dshields, they would log this ip as an attacker? unreasonable... that's like saying I'm the serial murderer because I sat in the same seat he did a few weeks ago in the bus...

    Patrix.

  6. I wonder.... by Stavr0 · · Score: 5
    To: authorized-scan1.security.home.net
    From: subscriber@home.net
    Subject: Repeated attacks

    Hello,
    Your system scanners has repeatedly triggered alarms on my firewall. These are unauthorized access of my personal computer
    Please terminate these scans immediately or I will have no other choice but to apply a $10 discount to my @Home bill for each security incident.
    Yours truly, @home customer

    From: @HOME tech support
    To: @HOME customer
    Subject: RE: Repeated attacks

    Hhhhhhhhhhmmmmmmpfffffffffrrrrrrrr BHAHAHAHAHAHAH!!
    Pay your fucking bill in full now or we'll TOSs ya.
    @home techie
    ---
    Inanimate Carbon Rod thanks you for your support. See you in 2004!

  7. Re:Issues by platypus · · Score: 4
    Or that

    nslookup slashdot.org
    Server: localhost
    Address: 127.0.0.1

    Non-authoritative answer:
    Name: slashdot.org
    Address: 64.28.67.48

    Heh,

    root@localhost> nmap -S 64.28.67.48 -e eth0 -sS -sU -p 0-65535 www.nsa.gov www.fbi.gov www.cia.gov '*.*.*.*'

    (hits enter end runs...)

    For those which don't know and are to lazy to look up, an exerpt from nmap manpage:

    -S
    In some circumstances, nmap may not be able to
    determine your source address ( nmap will tell you
    if this is the case). In this situation, use -S
    with your IP address (of the interface you wish to
    send packets through).

    Another possible use of this flag is to spoof the
    scan to make the targets think that someone else is
    scanning them. Imagine a company being repeatedly
    port scanned by a competitor! This is not a sup
    ported usage (or the main purpose) of this flag.
    I just think it raises an interesting possibility
    that people should be aware of before they go
    accusing others of port scanning them. -e would
    generally be required for this sort of usage.
  8. Re:Scanning from Private IP??? by ichimunki · · Score: 4

    I'd suspect that this is a relic of test logs generated by running portscanners on a LAN to build up a record set for the database. They say the data is not very reliable yet.

    --
    I do not have a signature
  9. Preventing fakes by wowbagger · · Score: 5

    Several posts have asked, "How can they prevent someone from faking the logs?"

    It looks like you have to sign up with these guys, and get an ID from them, before you can contribute. Therefor, anybody wishing to poison the database must give a valid e-mail. Presumably, the only way an IP will get in the top ten is if MORE THAN ONE person reports it. Also, I'm sure that any e-mail address that is found to be submitting bogus data will be dropped in a heartbeat.

    However, I'd want to put a little "noise filtering" on the scripts from my system: I frequently have www.grc.com scan my system to make sure nothing gets screwed up, and I'd hate to get Gibson Research in trouble. Also, on occasion one of my friends machines will trip my firewall.

    What we need is for this data to be collected and the offending ISPs made to solve the problem. Too many ISPs have the attitude of "not my yob": unless you grab their testicles with a rusty pair of pliers and threaten to have your laywer twist if they don't take action, they do nothing.

    --
    www.eFax.com are spammers
  10. Users Send in Their Logs? by Lostman · · Score: 4

    Now, this might strike ONLY me as strange but the service are relying on users to send in their logs?

    The reason this upsets me (at least SLIGHTLY) is that logs can ALWAYS be faked. That, and get a few different users around the country to send in "altered" logs and some poor @home guy could be out of his account.

    Is there anyway to make sure that this will not happen?

  11. Re:@Home scanners... by Sticky+Toejam · · Score: 5
    Map their printer and print out:

    YOU SCAN ME ONE MORE TIME AND I'LL COME TO YOUR HOUSE, RIP OUT YOUR CPU, AND SHOVE IT DOWN YOUR DOG'S THROAT

    Or something similar. If your real lucky you'll see the results on their webcam. :-)

  12. @Home scanners... by Ergo2000 · · Score: 5

    One thing I noticed on the top 10 "Most Wanted" is 24.0.94.130 and 24.0.0.203 : Both of these are official @Home scanner IPs that they use to scan subscribers PCs (i.e. only people in the @Home network should be scanned by these addresses). 24.0.0.203 usually is used to scan for NNTP servers (I get scanned every two hours pretty much to the minute) which was put into place after the big Usenet threats against @Home. 24.0.94.130 scans clients for most known trojans and backdoors. If they find either they, as far as I have heard, shut down your connection until you fix it and contact them when they'll recheck to verify. Great service to avoid people being their worst enemy.

    As a sidenote I previously disagreed with someone regarding whether there is a lot of NetBIOS traffic on @Home. At the time I claimed that I didn't get scanned for NetBIOS traffic. Turns out that it was the region I was in previously (Rogers@Home) where they filter out all NetBIOS traffic. Now that I'm in a different region (Cogeco@Home) I find that I'm getting NetBIOS scanned all the time. Out of curiousity occassionally I'll do a \\IP.IP.IP.IP back and find someone sharing their C, D, etc. drives. I don't know if it's an owned machine, or someone with a honeypot, but it's pretty funny nonetheless.