Security Incidents mailing list archives
Re: Full Plate of Crow
From: Chris Brenton <cbrenton () altenet com>
Date: Wed, 01 Aug 2001 11:52:09 -0400
Alfred Huger wrote:
Something to note here, upsurges in port 80 probes and actually identifying a Code Red attack are two differant things entirely.
Agreed. I'm seeing a sharp increase in HEAD queries, HTTP relay attempts, formmail probes, as well as a whole assortment of HTTP type probing in general. I have seen 9 confirmed Code Red traces, but this is almost background noise to the amount of TCP/80 traffic that has kicked up since early this morning.
If you are basing your attack stats off of firewall logs or simple access list packet drops your stats might well be out to lunch. Keep in mind a firewall is only telling it dropped a packet, not what was in the packet.
Agreed. We really need to keep numbers straight to track this correctly. I know the first time around many people where claiming 300,000+ infections based on the data Caida collected. To quote from their site: http://www.caida.org/analysis/security/code-red/ "We detected over 359,000 unique infected hosts in this 24-hour period. Hosts were considered to be infected if they sent TCP SYN packets on port 80 to nonexistent hosts on these networks." IMHO these could have been Code Red or they could have been nmap running decoy mode, you have no way of knowing unless you see the packet decode.
Alot of the people mailing me last night and this morning were sending firewall logs, not IDS logs.
Agreed again. No packet decode, no confirmed hit. Otherwise we'll be looking at greatly skewed numbers. Using that criteria I could claim 14K+ Code Red infected systems back in April (oh wait, Code Red was not even around yet... ;).
Three people also mailed me asking about SANS's Incidents.org and their front page showing (as of now) something like 8000+ hosts infected. So far as I know Incidents.org (which is a good site) is pulling it's data from Dshield.org (which is a really good site as well). Now Dshield so far as I understand it gathers it's stats from a number of devices but it does not do attack correlation. Meaning it does not actually make sense of the logs outside of telling what was denied on what ports. So it could be saying that 8000+ people have seen traffic dropped on port 80, or perhaps their staff are going through the logs by hand (I pity them if this is the case). Perhaps someone from one of those organizations can post and shed some light on this for us.
Since Johannes maintains the data on dshield, I've cc'd him in. He would be the guy "in the know". ;) HTH, Chris -- ************************************** cbrenton () altenet com $ chown -R us:us yourbase ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Full Plate of Crow Alfred Huger (Aug 01)
- Re: Full Plate of Crow Chris Brenton (Aug 01)
- Re: Full Plate of Crow Russell Fulton (Aug 01)
- <Possible follow-ups>
- RE: Full Plate of Crow McCammon, Keith (Aug 01)
- Re: Full Plate of Crow Chris Brenton (Aug 01)