427 Botnet fm qxd

TCP Anomaly Detection
In this section we are going to look at the most important tool in ourmon’s
arsenal of anomaly detection tools.This is the 
TCP port report
in several forms
and formats. First we look at the basic 30-second ASCII TCP port report.The
port report is useful for detecting scanning and P2P activity. Second we look
at the TCP work weight, which is a statistical measure that is mostly used to
detect scanning.The TCP work weight is a fundamental background compo-
nent for all TCP-based anomaly detection, including the IRC botnet detec-
tion mechanism discussed in the next chapter. Our final two sections discuss
the TCP worm graph, which shows parallel scanning activity, and the hourly
summarized form of the TCP port report.There are a number of forms of the
summarized TCP port report that may be sorted on different statistics (for
example,TCP SYN counts). All these hourly summarized reports basically
have the same statistical format per individual IP host.Thus understanding the
format of the 30-second port report and the summarized format is very
important for understanding the data provided by ourmon.
TCP Port Report: Thirty-Second View
Table 7.3 is a somewhat simplified 
TCP port report
taken from PSU’s network
on the day of “Case History #3: Bot Client.”This report shows a number of
typical events in the base TCP port report, including two local attacking sys-
tems, several remote attacking systems, and a few systems that are not
attackers. Also, to protect the innocent (or the guilty), we use private IP
addresses here. For remote hosts we will use net 10 addresses, and for local
networks we will use net 192.168 addresses. Normally, of course, these could
be real IP addresses. Due to space issues we do not show all the fields in the
TCP port report and might not show all the port signature field (the last
column) when there are more than a few destination ports. We will just show
***
to mean that there are more.

Download 6,98 Mb.

Do'stlaringiz bilan baham: