Re: Full Plate of Crow

[Chris Brenton <cbrenton () altenet com>]

Alfred Huger wrote:
> Something to note here, upsurges in port 80 probes and actually
> identifying a Code Red attack are two differant things entirely.

Agreed. I'm seeing a sharp increase in HEAD queries, HTTP relay
attempts, formmail probes, as well as a whole assortment of HTTP type
probing in general. I have seen 9 confirmed Code Red traces, but this is
almost background noise to the amount of TCP/80 traffic that has kicked
up since early this morning. 

> If you
> are basing your attack stats off of firewall logs or simple access list
> packet drops your stats might well be out to lunch. Keep in mind a
> firewall is only telling it dropped a packet, not what was in the packet.

Agreed. We really need to keep numbers straight to track this correctly.
I know the first time around many people where claiming 300,000+
infections based on the data Caida collected. To quote from their site:

http://www.caida.org/analysis/security/code-red/
"We detected over 359,000 unique infected hosts in this 24-hour period.
Hosts were considered to be infected if they sent TCP SYN packets on
port 80 to nonexistent hosts on these networks."

IMHO these could have been Code Red or they could have been nmap running
decoy mode, you have no way of knowing unless you see the packet decode.

> Alot of the people mailing me last night and this morning were sending
> firewall logs, not IDS logs.

Agreed again. No packet decode, no confirmed hit. Otherwise we'll be
looking at greatly skewed numbers. Using that criteria I could claim
14K+ Code Red infected systems back in April (oh wait, Code Red was not
even around yet... ;).

> Three people also mailed me asking about SANS's Incidents.org and their
> front page showing (as of now) something like 8000+ hosts infected. So far
> as I know Incidents.org (which is a good site) is pulling it's data from
> Dshield.org (which is a really good site as well). Now Dshield so far as I
> understand it gathers it's stats from a number of devices but it does not
> do attack correlation. Meaning it does not actually make sense of the logs
> outside of telling what was denied on what ports.  So it could be saying
> that 8000+ people have seen traffic dropped on port 80, or perhaps their
> staff are going through the logs by hand (I pity them if this is the
> case). Perhaps someone from one of those organizations can post and shed
> some light on this for us.

Since Johannes maintains the data on dshield, I've cc'd him in. He would
be the guy "in the know". ;)

HTH,
Chris
-- 
**************************************
cbrenton () altenet com

$ chown -R us:us yourbase

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com