Sunday, January 17, 2010

Dshield Results From Log Donations

So, every day I submit logs to Dshield, I get a report from them with a breakdown of the submitted logs.

Here's an example:




For 2010-01-15 you submitted 496 packets from 136 sources hitting 2 targets.

Port Summary
============

Port | Packets | Sources | Targets | Service | Name
------+-----------+-----------+-----------+--------------------+-------------
445 | 63 | 17 | 2 | microsoft-ds | Win2k+ Server Message Block
5900 | 31 | 15 | 2 | vnc | Virtual Network Computer
135 | 46 | 14 | 2 | epmap | DCE endpoint resolution
1080 | 162 | 13 | 2 | socks | Proxy Server
22 | 19 | 12 | 2 | ssh | SSH Remote Login Protocol
23 | 9 | 9 | 2 | telnet |
1433 | 12 | 9 | 2 | ms-sql-s | Microsoft-SQL-Server
3389 | 11 | 7 | 2 | ms-term-services | MS Terminal Services
3072 | 12 | 6 | 1 | csd-monitor | ContinuStor Monitor Port
4899 | 7 | 5 | 2 | radmin | Remote Administrator default port
25 | 20 | 5 | 2 | smtp | Simple Mail Transfer
3128 | 13 | 5 | 2 | squid-http | Proxy Server
8000 | 10 | 5 | 2 | irdmi | iRDMI
8080 | 7 | 4 | 2 | http-alt | HTTP Alternate (see port 80)
139 | 7 | 3 | 2 | netbios-ssn | NETBIOS Session Service
7212 | 7 | 3 | 2 | |
21 | 5 | 3 | 1 | ftp | File Transfer [Control]
80 | 6 | 2 | 1 | www | World Wide Web HTTP
2967 | 2 | 2 | 1 | ssc-agent | Symantec System Center
1024 | 6 | 2 | 1 | |


Port Scanners
=============

source | Ports Scanned | Host Name
---------------+---------------+------------
173.192.192.92| 10 | 173.192.192.92-static.reverse.softlayer.com
221.192.199.35| 6 |
78.159.112.84| 5 |
77.223.143.18| 4 | 77-223-143-18.netdirekt.com.tr
222.215.230.49| 4 |
205.209.161.68| 3 |
67.51.137.218| 2 |
173.66.248.120| 2 | auth03.cs.net
188.132.196.173| 2 | datacenter-173-196-132-188.sadecehosting.net
68.237.174.120| 2 | static-68-237-174-120.lsanca.fios.verizon.net
206.217.205.170| 2 | noptr.midphase.com
66.159.229.149| 2 | netblock-66-159-229-149.dslextreme.com
222.208.183.218| 2 |
66.160.182.5| 2 | system-5.squaw.com
64.38.82.20| 2 |
174.129.185.251| 2 | ec2-174-129-185-251.compute-1.amazonaws.com


Source Summary
==============

source | hostname |packets|targets| all pkts | all trgs | first seen
---------------+-----------+-------+-------+----------+----------+-----------
66.160.182.5|5.squaw.com| 54 | 1 | 143 | 66 | 01-08-2010
79.125.50.62|azonaws.com| 33 | 1 | 14083 | 94 | 01-11-2010
79.125.39.245|azonaws.com| 27 | 1 | 5974 | 92 | 01-11-2010
174.129.93.137|azonaws.com| 27 | 1 | 16623 | 102 | 01-06-2010
174.129.161.206|azonaws.com| 21 | 1 | 8258 | 99 | 01-11-2010
174.129.137.234|azonaws.com| 15 | 1 | 2328 | 90 | 01-14-2010
221.192.199.35| | 13 | 1 | 63162 | 2825 | 01-05-2010
79.125.44.37|azonaws.com| 12 | 1 | 6155 | 88 | 01-12-2010
173.192.192.92|ftlayer.com| 10 | 1 | 287815 | 25717 | 12-31-2009
222.215.230.49| | 9 | 2 | 225112 | 6288 | 05-28-2008
79.125.32.165|azonaws.com| 9 | 1 | 2346 | 89 | 01-14-2010
94.59.233.125| | 7 | 1 | 29 | 13 | 01-15-2010
77.223.143.18|rekt.com.tr| 7 | 1 | 120123 | 20906 | 12-28-2009
78.159.112.84| | 6 | 1 | 7356 | 3206 | 01-15-2010
188.132.196.173|hosting.net| 6 | 1 | 2606 | 1735 | 01-13-2010
118.161.243.145|c.hinet.net| 6 | 1 | 54 | 8 | 01-15-2010
64.38.82.20| | 5 | 1 | 894 | 446 | 01-15-2010
205.209.161.68| | 5 | 1 | 278 | 245 | 01-15-2010
204.236.194.181|azonaws.com| 5 | 1 | 8563 | 95 | 01-10-2010
204.236.244.234|azonaws.com| 4 | 1 | 10215 | 155 | 01-05-2010



All of this is valuable, and I can sometimes tune the IDS and FW based on the findings of these reports. There are other freeware tools that can do this type of data crunching, but I like the fact that if I'm donating logs, I'm getting a analysis report in return.

Now, the concern is that there's a lot of source IPs that appear to be owned by Amazon (Amazon Web Services). I'm hoping that most of these aren't EC2 hosts. If so, that indicates that Amazon has a security or abuse issue (or a combination of both). I'm hesitant to mention this to ISC since this may well be a trivial concern for them. Regardless of perception, I still believe this is more than likely an issue that should be pursued.