North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Customer-facing ACLs

  • From: Frank Bulk - iNAME
  • Date: Sat Mar 08 14:56:23 2008

While I don't do flow monitoring today, when monitoring for outbound spam
with Wirekshark I have seen hosts systematically check all the hosts in the
block for an open SMTP port.  I'm sure a lot more is going on that I don't
know.  The patterns are obvious to the human observer -- too bad that such
logic isn't built into the firewall.  I know there are some enterprise
security admins that subscribe to the approach that all inbound and outbound
traffic is blocked by defacto, with a few ports opened up in either
direction for known applications.  Of course, port 80 becomes the port of
choice for all the undesired apps.


-----Original Message-----
From: Justin Shore [mailto:[email protected]] 
Sent: Saturday, March 08, 2008 12:28 PM
To: [email protected]
Cc: 'Mark Foster'; Dave Pooser; [email protected]
Subject: Re: Customer-facing ACLs

It varies widely.  I see some extremely slow scans (1 SYN every 2-5
minutes).  This is what someone on the SANS ISC page mentioned I believe.

I've also seen scans last for up to 10 minutes.  The consistency of the
speeds made me think that perhaps the scanning computer was on a slow link.

The worst scans are the ones that last a second or two and hit us with a
SYN for every IP in our allocations.  That kind of scan and its flood of
packets is the one that I don't think I can stop without some sort of QoS.

I've seen coordinated scans with everything from 2 to about a dozen
different hosts scanning seemingly random IPs across our network.  I
know it's coordinated though because together they hit every IP but
never hit the same IP by more than one scanner.

I've seen scans that clearly learn where the accessible SSH daemons are,
that then feed this info back to the puppet master so he can command a
different compromised host (or hosts) to then handle the attacks.  I've
also see a scanner first scan our network and then immediately start
pounding on the accessible daemons.  Finally I've see the scanner stop
its scan in mid-stream, pound on an accessible daemon for a while with a
pre-defined set of userids and then continue on with the scans.

Clearly there's some variation in the scanning methods.


Frank Bulk wrote:
> The last few spam incidents I measured an outflow of about 2 messages per
> second.  Does anyone know how aggressive Telnet and SSH scanning is?  Even
> if it was greater, it's my guess there are many more hosts spewing spam
> there are running abusive telnet and SSH scans.