427 Botnet fm qxd

port 25. his is probably a remote botnet that has been
ordered to scan your network for possible open e-mail
proxies. This can very well be the explanation for the spike in
the TCP worm graph in Case Study #2 in the previous chapter.
In Chapter 9 we will explain how to make this correlation.
2. Sorting by IP address gives us the ability to see multiple
infected hosts in an IP subnet.
3. Sorting the destination TCP ports gives us the ability to see
patterns in scans initiated by malware. We may be able to see
that a set of hosts are under the same remote control or pos-
sibly have the same malware program.
4. Our IRC report engine (next chapter) uses the TCP work
weight to determine if there are too many attacking clients in
a sick IRC channel. If so, it places the IRC channel in its 
evil
channel
list. 
TCP Work Weight: Details 
In this section we will briefly talk about a few aspects of the TCP work
weight. It is the most important statistical measure in the port report, and we
need to discuss how it is computed and what can seemingly go wrong with
that process.
First of all, let’s look at how the work weight is computed.The rough
equation for the work weight for one IP host is:
where:
■
SS is the total number of SYNS sent by the IP during the sample
period.
■
FS is the total number of FINS sent by the IP during the sample
period.
■
RR is the total number of TCP RESETS returned to the IP during
the sample period.
■
TP is the total number of TCP packets, including control and data
sent and received by the host, during the sample period.

Download 6,98 Mb.

Do'stlaringiz bilan baham: