A Day In The Life Of A DShield Sensor

Published: 2010-11-21
Last Updated: 2010-11-21 23:05:21 UTC
by Marcus Sachs (Version: 1)
1 comment(s)

This weekend has been pretty smooth with respect to security incidents, so I thought I would show everybody what my DShield sensor is telling me about the unsolicited packets coming to my home network.  I've been submitting packets to DShield for nearly 10 years so I've got a lot of historical data I can look back through.  This is very helpful when trying to figure out if something is new, or if it's been here before. 

Here's what my report from yesterday (November 20, 2010) said:

   Day: 2010-11-20
Userid: xxxxxxxx

For 2010-11-20 you submitted 7763 packets from 1352 sources hitting 3 targets.

Port Summary
============

Port  |  Packets  |  Sources  |  Targets  |      Service       |  Name
------+-----------+-----------+-----------+--------------------+--------
------+-----------+-----------+-----------+--------------------+-----
 6881 |      7265 |      1240 |         1 |         bittorrent | Bit Torrent P2P
   23 |        76 |        75 |         1 |             telnet |
   22 |         6 |         5 |         1 |                ssh | SSH Remote Login Protocol
14043 |        16 |         5 |         1 |                    |
 1434 |         3 |         3 |         1 |           ms-sql-m | Microsoft-SQL-Monitor
   80 |         3 |         3 |         1 |                www | World Wide Web HTTP
  500 |        34 |         2 |         1 |             isakmp | VPN Key Exchange
 5060 |         2 |         2 |         1 |                sip | SIP
    0 |        17 |         1 |         1 |                    |
 8000 |         2 |         1 |         1 |              irdmi | iRDMI
44859 |         1 |         1 |         1 |                    |
49719 |         6 |         1 |         1 |                    |
 2304 |         1 |         1 |         1 |     attachmate-uts | Attachmate UTS
 8443 |         1 |         1 |         1 |         pcsync-ssl | PCSync SSL
45890 |         3 |         1 |         1 |                    |
50129 |         1 |         1 |         1 |                    |
 2489 |        15 |         1 |         1 |              tsilb | TSILB
 8880 |         1 |         1 |         1 |          cddbp-alt | CDDBP
47028 |         6 |         1 |         1 |                    |
50603 |       263 |         1 |         1 |                    |


Port Scanners
=============

    source     | Ports Scanned | Host Name
---------------+---------------+------------
  88.69.244.106|           8   | dslb-088-069-244-106.pools.arcor-ip.net
  221.1.220.185|           3   |
 166.68.134.172|           2   |
  85.114.130.94|           2   | o094.orange.fastwebserver.de
 85.192.147.126|           2   | 85-192-147-126.dsl.esoo.ru


Source Summary
==============

    source     | hostname  |packets|targets| all pkts | all trgs | first seen
---------------+-----------+-------+-------+----------+----------+------
---------------+-----------+-------+-------+----------+----------+-----
      1.53.88.8|           |   971 |     1 |     1132 |        1 | 11-20-2010
  113.22.207.92|           |   408 |     1 |      208 |        1 | 11-20-2010
 166.68.134.172|           |   296 |     1 |    12492 |        2 | 11-13-2010
  61.64.224.115|-net.net.tw|    80 |     1 |      142 |        1 | 11-18-2010
  99.159.78.228|cglobal.net|    58 |     1 |       56 |        1 | 11-20-2010
 118.166.218.29|c.hinet.net|    45 |     1 |       45 |        1 | 11-20-2010
    123.0.72.24|3.cc9.ne.jp|    44 |     1 |       47 |        1 | 11-20-2010
  41.133.190.65|.mweb.co.za|    42 |     1 |      103 |        1 | 11-18-2010
   84.252.32.21|           |    41 |     1 |       82 |        1 | 11-18-2010
   82.226.17.57|.proxad.net|    39 |     1 |       74 |        3 | 10-29-2010
   68.5.169.151|.oc.cox.net|    38 |     1 |       83 |        1 | 11-15-2010
  77.76.128.133|ilinkbg.com|    36 |     1 |       43 |       10 | 11-13-2010
213.109.234.208|           |    36 |     1 |       80 |        1 | 11-15-2010
114.156.127.176|a.ocn.ne.jp|    36 |     1 |      122 |        4 | 10-26-2010
  58.114.142.76|giga.net.tw|    34 |     1 |      107 |        1 | 11-15-2010
 41.236.243.205|.tedata.net|    34 |     1 |       39 |        1 | 11-20-2010
  111.185.35.37|albb.net.tw|    34 |     1 |       88 |        1 | 11-13-2010
    41.200.4.97|           |    33 |     1 |       30 |        1 | 11-20-2010
  116.49.85.149|vigator.com|    33 |     1 |       33 |        1 | 11-20-2010
    84.54.184.2|lingrad.net|    33 |     1 |       77 |        9 | 04-04-2010

 

As you can see, I've got a lot of unsolicited Bit Torrent traffic, and quite a few intruders trying to telnet into my home system.  All of these packets are dropped by my firewall, logged, then sent to DShield once an hour.  In a perfect world I would not be seeing any SYN packets coming at my house since I'm not running any servers here.  The large number of Bit Torrent is troubling, but I'm sure that it's because whoever owned the dynamic IP assigned to me was a Bit Torrent user and all of his peers are trying to reconnect.

So what does your home DShield report look like?  Getting anything you should not be seeing?  In fact, are you submitting DShield data from your home network?  If not, please do so!  We can use all of the packets we can get, and doing this at home is a snap.  The instructions are on the DShield site, and if you have any questions just let us know.  We run a discussion list on Google Groups, so be sure to sign up for that too.  Let us know how you use DShield via the comment link below.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: DShield
1 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives