What is happening in our corner of the Internet

Sample reports for one of our test networks (note this is a test network and does have some down time). All graphs produced by Link Logger. Link Logger has many other types of graphs then the ones used here, but these are just a sample of what kind of inbound traffic security analysis you can perform using Link Logger.

Note this network is just a typical Shaw cable user account, no web services or anything so it would be representative of the typical scans and attacks seen by most Shaw home user accounts.

Attack/Scan Stats for August 14, 2002. (NOTE we did shut down the system a couple of times last night so numbers will be lower then actual).

7 different scan types and a total of 49 scans.

Over the last week. 16 different scan types, total 345 scans.

Rate of suspicious events per hour.

Rate of suspicious events per hour for the last week.

Number of unique Suspicious Source IP Addresses per day. Things are slowing down.

21 attack and scan sources.

Last week. 131 different sources, and no local biggies as our local ISP abuse team does a good job (shaw.ca), ie no big Nimda/Code Red scanners in our local netblock. NOTE all scans and attacks (except those involved in testing) are sent to www.DShield.org using DShieldUp for Link Logger. DShield can and does send notifications to ISPs concerning suspicious traffic.

204.26.122.6 was trying to ident us as we were trying to ftp from it (multitech.com who make routers) so this is a false positive (easy to pick out when reviewing traffic history within Link Logger). Since you can trust IP's in Link Logger if we were going to ftp from this site often we would trust it such that it would no longer cause an alert.

Event history of some of the top bad boys, typically the leading bad boys are Nimda/Apache/Code Red scans (TCP port 80).

24.64.74.228 and 24.194.50.3 are Nimda/Code Red infected scanning on TCP port 80.

24.64.192.243 is attempting to connect to open shares on TCP port 139 (maybe Klez infected).

66.31.25.216, 216.179.106.154 and 172.157.113.48 are scanning for Subseven servers on TCP port 27374.

62.195.89.146 is interesting. First scan was a TCP port 80 scan and a couple hours later scanned TCP port 1433 look for a vulnerable SQL Server. Not often you see a scan change like this.

Suspicious events per day on selected ports.

Number of unique scanning/attacking IP address per day.

Tracking Nimda/Code Red/Apache/etc worms and SQLSnake.

Arrival of SQLSnake worm on May 18th. Note we did see some small pre SQLSnake TCP port 1433 scans on April 29th and May 12th.

Note the monthly schedule for Code Red is (uses UTC time)

1-19: infect other hosts using the worm

20-27: DDOS attack of 198.137.240.91 (which at the time was whitehouse.gov)

28-end of month: eternal sleep

Notice the similarity of curve shapes for port 1433, as the SQL Server worm used a random IP generator for scanning, whereas Nimda/Code Red use a weighted IP generator so you have more repeated scans from 'local' systems. SQLSnake like Nimda and Code Red will be around for a long time. You can see there was an initial spike in infected systems and some systems were cleaned up, but there will remain a baseline of infected machines for some time.

A Closer Look

Port 80 scans did not increase on August 1st as expected but instead dropped, which was hugely unexpected given the Code Red I systems were to enter the scanning/infection cycle again. Most of these scans are coming from outside our local ISP.

Subseven Scans

Subseven scan rates for July 1st on.

An example of a scan with a history.

We saw a TCP port 139 connection attempt from 24.64.146.43. Upon reviewing the history of traffic from this IP address with Link Logger we noticed that we have seen this IP attempt a number of open file share connections since March. I think we have seen the end of scans from this system. Despite the attempt to fly under the radar it got noticed and shut down.

OK so 24.64.146.43 still lives as we received a new scans from it on August 9th. Second email will be sent concerning this. Hopefully this time they can put a stop to this. Received another email from our local abuse team indicating that they have identified and fixed this again. But of course it continues to scan, perhaps a wooden stake is needed to kill it. Hopefully someday soon we can declare "he's dead Jim".

Additional tidbit of information concerning P2P file sharing applications and scans for them.

We have pretty well a static IP address or at least it has not changed in about the last 6 months. We have never used any of the P2P products so we shouldn't appear in any P2P list, but yet we see scans for these systems all the time, which leads us to to believe that people or something are actively scanning for these systems. While we did see some rare scans before March 1st the relatively consistent scanning started mid-March. From March 1st to July 14th we have seen 162 TCP port 1214 scans (Kazaa, Morpheus, etc) and 87 TCP 6346 scans (Gnutella, Bearshare, Limewire, etc) all from a variety of sources.

The Rein of Code Red II

Just to give you an idea how much impact Code Red II had. Code Red II arrived here at about 8am (MST) on August 4th and Nimda arrival at about 7am (MST) on Sept 18th.As you can see Code Red II changed everything. While Nimda was heavy into scanning Code Red II affected far more systems. On October 1 UTC Code Red II stopped (as coded), and we see that on the graph (as our port 80 scans almost ceased entirely). That fact that port 80 scans pretty ceased with Code Red II stopping again testifies as to how many more machines it infected as compared to Nimda and Code Red I. Code Red II is easily the internet champion worm of all time.

51 types of scans and a total of 11,343 scans during the life time of Code Red II.

The arrival of SirCam - King of the file share.

SirCam proved to be one of the most successful viruses of all time. Before July 19th I would typically see 1 or 2 port 139 scans (connection attempts to open shares) a month, but the arrival of Sir Cam changed that. Oct 16th there was a drop in port 139 scans which coincided with SirCam stopping (as coded). We still see a number of port 139 scans looking for open shares as SirCam demonstrated how effective it was to include distribution via open file shares, so new worms or viruses like Klez commonly use file shares as a distribution method and hence why we still see port 139 scans today.

Favorite Wav files for Link Logger

Spock: Captain we are being probed

Homer Simpson: Aaah Boogie man