Detecting attacks against servers
Last Updated: 2006-10-03 12:32:02 UTC
by Swa Frantzen (Version: 2)
We all hear of servers getting hit on one of their exposed interfaces and then being used in phishing attacks, spreading malware, feeding warez and basically support all other things the bad guys out there do.
But how can you detect it with little to no fancy means?
Flows are a neat source of information. Basically it's the routers you already have telling you what IP address talked to what other IP address using what port during a relatively short interval. Now collecting flows from a high end router is no little feat, so you will need storage and processing resources but if you can do it, it allows for insights in traffic patterns on a large scale.
E.g. discovering machines scanning for SSH (port tcp/22) next starting to talk on port tcp/4000 to some of those machines is a sign of something spreading to the next server. If those already affected IP addresses are then also relatively high bandwidth and owned by companies that sound like they are in the hosting business, the impact of each and every of these machines getting owned is not insignificant. A shared hosting server can service many hundreds domainnames and each one of those might be adding the newest 0-day exploit towards its visitors.
So keep those applications such as openssl and openssh patched on your servers, they are being scanned for.
Update: Andrew provided a pointer to a list of netflow tools.--
Swa Frantzen -- Section 66