>Date: Thu, 2 Mar 2000 16:34:30 -0500
>From: "Greg A. Woods" <woods_at_most.weird.com>
>
>As a side note I should mention that I find it quite interesting that
>it's almost never the case that all of my hosts receive portmap requests
>from the same source.
I have seen RPC dump scans of our entire class C's originating
from the same source address. Of course I also see the random
requests from all over, too, spread over days.
> Either such tools are randomising the source
>address and using some other means of reply detection; or they are
>distributing the scanning (and not all scanners are operating in sync
>and thus the probes I see across my network are also randomly
>distributed in time);
Has anyone done any sort of statistical analysis of scanning
behavior against their networks? I came up with a fairly bizarre
mechanism inspired by my desire *not* to get paged for every single
host scanned. See http://www.biostat.wisc.edu/~annis/mom3/help/tr_event.html
for the algorithm which analyzes the rate of security events. It
seems to match fairly well for various port and service scans, at
least for the last few months of data.
I'd love to know if people have better mechanisms for event
time analysis.
> or perhaps people don't actually scan entire
>networks using this kind of test.
They do. It's very subtle. :)
Anecdote: I contacted the owner of one ISP after getting a
full RPC dump() sweep. He insisted up one side and down the other
that the source IP - his - was spoofed. Can anyone explain to me the
purpose of doing a dump() scan if you never see the data? I can't
think of anything, but information about low-level networking
sometimes takes me a while to absorb.
--
William Annis - System Administrator - Biomedical Computing Group
annis_at_biostat.wisc.edu PGP ID:1024/FBF64031
Mi parolas Esperanton - La Internacian Lingvon www.esperanto.org
Received on Mar 06 2000
Intro
