Hackin9

Chinese attacks show up useless infosec, again
CSO Magazine
Recent attacks on US newspapers are further proof that, despite making billions, the information security industry is pretty much screwed. My American colleague Antone Gonsalves has written up some lessons learned from the Chinese attacks on the New ...

 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

In todays world, compromised systems as well as attacks and probes against our networks are sadly becoming the norm. Because of this, when we see network traffic that violates normal behavior, our first reaction is that someone is doing reconnaissance, we have been compromised or we are under attack. We all want to be proactive and stop the activity, but we also dont want to become the Boy who cried wolf. Sometimes the traffic can be outside of what is normal but be completely legitimate traffic. Taking a deep breath and remaining calm while doing the analysis is important. Ask yourself if the traffic could have a legitimate purpose. Here are a couple of examples of products that generate traffic that appears threatening, but really are the normal behavior of the system.



F5 Load Balancer:

I first encountered traffic from an F5 back in 2006. At that time a reader submitted traffic to us that had the following unusual characteristics:



1. The repeating IP ID which rotated using only 1, 2, or 3

2. The windows size was a constant 2048

3. The TTLs which were usually 44/45 or very close to that.

4. It was always TCP connections to the primary DNS server. No UDP traffic was captured from those IPs.

5. The 24 0x00 data bytes (keep in mind that these are SYN packets)

6. The time stamps and source ports were also helpful in determining that these were not TCP retries.



The submitter was not sure what was going on but the traffic certainly was not normal. I wont rehash the diary here, you can read the diary entry Packet Analysis Challenge: The Solution if you like. The traffic was simply the probes of the F5 Global Traffic Manager. I am not sure if the L5 probes function the same way today or not. I do know that the Global Traffic Manager now states this:



By default, big3d agents first attempt to probe the local DNS with a DNS_DOT query. If the probe attempt fails, big3d attempts the following tasks, in the following order:

DNS_REV query

UDP echo

TCP port 53 socket connection

ping (ICMP echo)



which can be easily mistaken for a probe/attack against your local DNS server. In the end, the unusual traffic was normal.





McAfee Rogue System Detection Sensors

With McAfee you can install Rogue System Detection Sensors in your network and manage them via the ePO policies. These sensors scan the networks to do OS fingerprinting. You can read about this feature at McAfees community website. Here is an example of the traffic you will see if left unmodified:



Host discovery

UDP ports

53 67 69 123 137 161 500 1434



Host discovery

TCP ports

21 22 23 25 79 80 110 113 139 264 265 443 1025 1433 1723 5000



Service discovery

UDP ports

53 68-69 123 135 137-138 161 260 445 500 514 520 1434 1645-1646 1812-1813 2049 31337 43981



Service discovery

TCP ports

7 9 11 13 15 19 21-23 25 43 49 53 66-68 79-81 88-89 98 109-111 113 118-119 135 139 143 150 156 256-259 264 389 396 427 443 445 465

512-515 524 563 593 636 799 900-901 1024-1040 1080 1214 1243 1313 1352 1433 1494 1498 1521 1524-1525 1541-1542 1720 1723 1745 1755

1813 2000-2001 2003 2049 2080 2140 2301 2447 2766 2998 3128 3268 3300 3306 3372 3389 4045 4321 4665 4899 5222 5556 5631-5632 5800-5802

5900 6000 6112 6346 6666-6667 7000-7001 7070 7777 7947 8000-8001 8010 8080-8081 8100 8888 10000 12345 20034 30821 32768-32790 49152-

49157





It can be unnerving if you see workstations scanning your network and your not aware of the functionality of the software. Again, nothing malicious, just normal software behavior.





Due to time and space, these are only a couple of examples of software/appliances whose traffic falls into the not normal range. Being aware of these can help you save a few gray hairs and make better sense of traffic on your network. I always find these unusual traffic patterns interesting but they can take a lot of time to research. The information is not always easy to find and takes some time doing reading and web searches. If you know of any others, please share them. If we get enough, we can compile them for easy access as a reference.


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Australia in five-nation talks to declassify infosec data
iT News
This is because cyber weaponry like Stuxnet will likely -- inevitably, Schmidt said -- be discovered by the infosec research community. In recent years, security researchers have discovered and extensively detailed malware thought to have been ...

 
The February patch was offered today -- ahead of schedule -- and contains fixes for 50 vulnerabilities
 
Internet Storm Center Infocon Status