Results 1 to 8 of 8

Thread: Intrusion Statistics

  1. #1

    Exclamation Intrusion Statistics

    Hi Everybody:


    My firewall is Norton Internet Security (NIS). I connect via dial-up. For months, I've seen intrusion attacks from various IP addresses.

    Starting May 2, I've increased the NIS log size to 2MB and has been saving these logs daily. My intent: Generate empirical statistics on intrusions/attacks, identify the preponderance of attacks by country-origin and the most persistent attackers' IP address (shall we say top 100?).

    Anybody interested in a parallel effort? This may vary from country to country, from ISP to ISP and by the type of firewall used. But if the firewall maintains a log, then those interested may just save these logs into plain text format and later on identify the country-origin of the IP. For my case, I'll be using IP to Country.

    What shall we accomplish? Broadly, simply generate awareness for all on the following:
    a. Intrusions happen almost every second that one stays on-line;
    b. Some users may just be unaware that even their own systems serve as bridges for these attacks;
    c. Some countries may just happen to have less sense of IT security or some establishments/systems deliberately attack other systems as a prelude to future information warfare scenarios; and
    d. Some IP addresses may just be worth avoiding (can we really deliberately do that?) while we are online.

    In addition, it may just make us aware of related issues such as:
    a. Firewalls do not always work when a malware/adware piggybacks itself into our download process (I plan to make a separate post regarding this experience);
    b. Some IP addresses may just happen to be bogus when attacking (I base this on my observation that my system has varying IP addresses [within the ISP range?] whenever I go online).

    I am aware that false statistics may just be generated but the time needed to just identify the country for each IP address is already enormous; so why waste time generating false data? For my case, I'll always be ready to upload the daily logs [in raw plain text format or PDF] to anyone who'd demand proof of the stats I've come up with. A few other rules may just be needed as well regarding redundancies, frequency and cases of **INVALID** IP addresses.

    Relatedly, would anyone mind generating a small program that would use the IP to Country MS Excel Library as reference to a faster identification of the country origin of the IP addresses?

    -Goitz
    Si vis pacem, para bellum!

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Have you visited SANS Internet Storm Center where they keep track of a variety of similar type of stats?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    I just did. Didn't know there was **THAT**, thanks for the heads-up. Now, I'll go pore over their posted details.
    Si vis pacem, para bellum!

  4. #4
    Senior Member
    Join Date
    Feb 2004
    Posts
    122
    Well...sadly most of those logs may just be "background traffic" as people call it. It freaks most newbies out completely. I may be wrong, but it would be helpful to show us what kind of stuff is in the logs.
    Well...its not gonna get much better than linux!

  5. #5
    I've attached here the initial log in the Firewall section of NIS for 02 May 2005. I saved it into plain text format before I cleared the log so it could have greater space and to prevent duplication of entries that will be saved later.

    Yes, there are a lot of background traffic. From the firewall report, however, one can see the IP address from where the attack originated.
    Si vis pacem, para bellum!

  6. #6
    Senior Member
    Join Date
    Jan 2005
    Posts
    128
    Also, symantec have their own, DeepSight Analyzer

    and their own ThreatCon :P

    Ive been submitting my logs to them for about 6 months now. Nothing major, but i know Im still playing a little part...

    https://analyzer.symantec.com/default.asp
    http://sfx-images.mozilla.org/affili...88x31/take.gif
    If You\'ve Done Something Right. People Wont Know You\'ve Done Anything At All - God (futurama)

  7. #7
    Seems like alot of 'noise' on your subnet after a brief look at the log. There was an eyecatcher though. I wondered what massdown.exe was and found out it was a motorola modem driver. So, what part of Austrailia are ya from?

    Also checkout dsheild.org. It seems more along the lines of something you'd like to get into.

  8. #8
    Jonesy69,

    Not Australia; in the Philippines. I'm using dial-up connection hence the local address may vary at various instances that I do conect but the country code stays though not always the same ISP as the highest baud rate made available is what I'm primarily after online.

    The massdown.exe is actually Mass Downloader from www.metaproducts.com. I'm using it now as a test replacement after purging DAP off my system. I do need that facility since I normally schedule downloads in MB size while I go to sleep.

    The reason for the increase in the "traffic noise" is my hyping up the blocking rule to include all inbound TCP/UDP. After all, these are unsolicited and, therefore, to be considered as possible intrusion attempts. Authorized inbound TCP/UDP are based on "agent" carrier in this case, i.e., the active URL I'm connected to at the time of the transaction. Anything else falls under the intrusion category. I have yet to identify the individual IPs and I do also plan to compare them with the Web History log to see if anything signficant is worth deducing.

    I've taken a look at dshield.org... and yes, I'm considering that as another possible avenue. After all, the wider the population base for a sample, the more reliable the data are in terms of representation.

    BTW, in the course of my initial recording (manual as I failed to save the NIS logs before increasing the log sizes), I encountered the following addresses as TCP sources: 24.33.258.191 and 24.255.105.249. When I checked them with IP to Country, I encountered an error message saying the IP address should be valid. MsMittens' recommended site (www.isc.sans.org) returned USA (Cox Communications Inc.) for the latter but none for the first IP address. That, of course, may just open up another issue--the existence of the IT "netherworld"(?).

    Cheers.

    -Goitz
    Si vis pacem, para bellum!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •