November 6th, 2002, 09:54 AM
IDS/Firewalls: how to detect traffic which is NOT an attack
I've noticed there are loads of people, typically windows users, who have installed <insert name of firewall/IDS here> on their box and immediately reported something which they think is an attack: Examples:
1. Help, I've just installed a packet monitor, and I'm being bombarded with tons of TCP packets from port 80 to high port numbers, are they trying to hack ing?
-- NO, no-one is trying to hack in, that is your web pages downloading!
2. Help, I'm seeing loads of attacks from port 53 all from my ISP's DNS server - are they trying to hack me?
- No, these are DNS replies.
3. I've installed <insert name of windows p2p warez sharing program here> and I'm seeing loads of connections to/from my machine all over the place and in netstat etc...
- Yes, that's what these things do. They're really good at screwing up attempts at making a good IDS configuration because in IP terms, they are extremely promiscuous, connecting to/from anything on any port number they feel like. Also some of them send strange ICMP.
p2p is the enemy of IDS, it creates noise.
There are of course a lot of other situations where newbies see incoming packets and immediately assume they are attacks.
Most incoming packets will be responses to outgoing ones. These are of course safe and if you block them, you won't be very happy.
PLEASE CHECK before reporting something as an attack, that it isn't legitimiate incoming responses.
If you have p2p running, shut it off for several hours beforehand, if the incoming packets continue, MAYBE then you have an attack
Turn off IM software, auto-update on any virus scanners etc you run and anything else that generates traffic.
If you use p2p, it is extremely likely that your machine has been invaded by some ad-ware which they usually ship with. Disable this too if you can as it will generate traffic.
If after turning everything off, you still see attacks, then you might actually be getting attacked.
November 6th, 2002, 02:41 PM
Would like to add an additional thing to a good post, if you ask about it here, please provide a SANITIZED log entry or a capture of what traffic you are asking about (With source/destination ports/ip). By SANITIZED, I mean replace all IP's with either an a.b.c.d or a private address. Otherwise it is pretty difficult to give anything other than a guess when responding to your question (i.e., What are all these connections?).
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
January 5th, 2003, 06:52 PM
To perhaps simplify a little more when you go say and check your usenet n/g's your port monitoring s/w will show you an ephemeral port belonging to you going out to port 119 on
your news server. This is normal and expected. Your stack generates a random ephemeral
port to deal with the request. The news server is offering nntp which is of course on port 119.
The same when you boot up your browser another ephemeral port of yours going to port 80
on the web server.
The only time you should see ephemeral to ephemeral is when using P2P as mentioned above.
Anything beyond the above should twig your interest. Also packets directed at privileged ports
on your machine, assuming you are not running any services ie: web server, ftp, and so on.
Hope this helps clarify things further.