InfoSec News

This weekend has been pretty smooth with respect to security incidents, so I thought I would show everybody what my DShield sensor is telling me about the unsolicited packets coming to my home network. I've been submitting packets to DShield for nearly 10 years so I've got a lot of historical data I can look back through. This is very helpful when trying to figure out if something is new, or if it's been here before.
Here's what my report from yesterday (November 20, 2010) said:
Day: 2010-11-20

Userid: xxxxxxxx



For 2010-11-20 you submitted 7763 packets from 1352 sources hitting 3 targets.



Port Summary

============



Port | Packets | Sources | Targets | Service | Name

------+-----------+-----------+-----------+--------------------+--------

------+-----------+-----------+-----------+--------------------+-----

6881 | 7265 | 1240 | 1 | bittorrent | Bit Torrent P2P

23 | 76 | 75 | 1 | telnet |

22 | 6 | 5 | 1 | ssh | SSH Remote Login Protocol

14043 | 16 | 5 | 1 | |

1434 | 3 | 3 | 1 | ms-sql-m | Microsoft-SQL-Monitor

80 | 3 | 3 | 1 | www | World Wide Web HTTP

500 | 34 | 2 | 1 | isakmp | VPN Key Exchange

5060 | 2 | 2 | 1 | sip | SIP

0 | 17 | 1 | 1 | |

8000 | 2 | 1 | 1 | irdmi | iRDMI

44859 | 1 | 1 | 1 | |

49719 | 6 | 1 | 1 | |

2304 | 1 | 1 | 1 | attachmate-uts | Attachmate UTS

8443 | 1 | 1 | 1 | pcsync-ssl | PCSync SSL

45890 | 3 | 1 | 1 | |

50129 | 1 | 1 | 1 | |

2489 | 15 | 1 | 1 | tsilb | TSILB

8880 | 1 | 1 | 1 | cddbp-alt | CDDBP

47028 | 6 | 1 | 1 | |

50603 | 263 | 1 | 1 | |





Port Scanners

=============



source | Ports Scanned | Host Name

---------------+---------------+------------

88.69.244.106| 8 | dslb-088-069-244-106.pools.arcor-ip.net

221.1.220.185| 3 |

166.68.134.172| 2 |

85.114.130.94| 2 | o094.orange.fastwebserver.de

85.192.147.126| 2 | 85-192-147-126.dsl.esoo.ru





Source Summary

==============



source | hostname |packets|targets| all pkts | all trgs | first seen

---------------+-----------+-------+-------+----------+----------+------

---------------+-----------+-------+-------+----------+----------+-----

1.53.88.8| | 971 | 1 | 1132 | 1 | 11-20-2010

113.22.207.92| | 408 | 1 | 208 | 1 | 11-20-2010

166.68.134.172| | 296 | 1 | 12492 | 2 | 11-13-2010

61.64.224.115|-net.net.tw| 80 | 1 | 142 | 1 | 11-18-2010

99.159.78.228|cglobal.net| 58 | 1 | 56 | 1 | 11-20-2010

118.166.218.29|c.hinet.net| 45 | 1 | 45 | 1 | 11-20-2010

123.0.72.24|3.cc9.ne.jp| 44 | 1 | 47 | 1 | 11-20-2010

41.133.190.65|.mweb.co.za| 42 | 1 | 103 | 1 | 11-18-2010

84.252.32.21| | 41 | 1 | 82 | 1 | 11-18-2010

82.226.17.57|.proxad.net| 39 | 1 | 74 | 3 | 10-29-2010

68.5.169.151|.oc.cox.net| 38 | 1 | 83 | 1 | 11-15-2010

77.76.128.133|ilinkbg.com| 36 | 1 | 43 | 10 | 11-13-2010

213.109.234.208| | 36 | 1 | 80 | 1 | 11-15-2010

114.156.127.176|a.ocn.ne.jp| 36 | 1 | 122 | 4 | 10-26-2010

58.114.142.76|giga.net.tw| 34 | 1 | 107 | 1 | 11-15-2010

41.236.243.205|.tedata.net| 34 | 1 | 39 | 1 | 11-20-2010

111.185.35.37|albb.net.tw| 34 | 1 | 88 | 1 | 11-13-2010

41.200.4.97| | 33 | 1 | 30 | 1 | 11-20-2010

116.49.85.149|vigator.com| 33 | 1 | 33 | 1 | 11-20-2010

84.54.184.2|lingrad.net| 33 | 1 | 77 | 9 | 04-04-2010


As you can see, I've got a lot of unsolicited Bit Torrent traffic, and quite a few intruders trying to telnet into my home system. All of these packets are dropped by my firewall, logged, then sent to DShield once an hour. In a perfect world Iwould not be seeing any SYN packets coming at my house since I'm not running any servers here. The large number of Bit Torrent is troubling, but I'm sure that it's because whoever owned the dynamic IPassigned to me was a Bit Torrent user and all of his peers are trying to reconnect.
So what does your home DShield report look like? Getting anything you should not be seeing? In fact, are you submitting DShield data from your home network? If not, please do so! We can use all of the packets we can get, and doing this at home is a snap. The instructions are on theDShield site, and if you have any questions just let us know. We run a discussion list on Google Groups, so be sure to sign up for that too. Let us know how you use DShield via the comment link below.
Marcus H. Sachs

Director, SANSInternet Storm Center (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 


Internet Storm Center Infocon Status