427 Botnet fm qxd

Q: 
Why does the TCP port report sometimes spot Web servers?
A: 
The short answer is: we don’t know why. We would love to understand
this better. It could have something to do with HTTP mostly sending a
lot of small files, so there are many control packets and just a few data
packets. In theory, later designs of HTTP allow one server to put many
files in one TCP connection, but this doesn’t work if the Web page itself
has separate parts at different IP addresses.
Q: 
What kinds of real-world situations have you seen diagnosed with the
UDP port report?
A: 
Probably everybody on the planet is getting SPIM 24/7. We have seen
SQL-slammer outbreaks that are not exactly hard to spot. We have also
seen numerous instances of badly maintained UNIX servers where some
component of the Web server (say, using PHP) has been exploited and the
web server itself is now being used to DOS a remote host. Bot systems
tend to use TCP for scanning, but UDP does pop up sometimes. A UNIX
system can have a bot as well, even if the majority of bots are found on
Microsoft systems.
Q: 
Are the parts of ourmon focused on network management (not talked
about in the book) ever useful for anomaly detection?
A: 
Everything in ourmon seems to be useful for anomaly detection. DOS
attacks can cause top N talker graphs to show a single system doing the
DOS to be the top N system. One system infected on campus with SQL-
slammer caused the ICMP top N message graph to entirely point at that
system as many systems in the world were busy sending ICMP messages
back to the infected host.

Download 6,98 Mb.

Do'stlaringiz bilan baham: