427 Botnet fm qxd

IP Address Source Spoofing

Download 6,98 Mb.

Pdf ko'rish

bet	204/387
Sana	03.12.2022
Hajmi	6,98 Mb.
	#878307

1 ... 200 201 202 203 204 205 206 207 ... 387

Bog'liq
Botnets - The killer web applications

IP source address

IP Address Source Spoofing
Regarding sorting by ascending IP address, once in a while if you are
unlucky you might get to see something like 254 ascending IP addresses
from the same IP subnet. A few years ago, a host on a PSU subnet was
infected with the agobot worm, and all of a sudden it looked like 254
PSU IP hosts on the same /24 (256 IPs) subnet were transmitting at the
same time. They all showed up as “scanners” in the TCP port report. It
was really only one host spoofing other IP addresses on the same
subnet. Agobot has a loop mechanism to spoof IP source addresses so
that packets are sent in a loop, with each packet having a different but
local IP address. So remember, if you see many contiguous IP addresses
www.syngress.com
Ourmon: Anomaly Detection Tools • Chapter 7
257
Continued
427_Bot_07.qxd 1/8/07 3:40 PM Page 257

that appear to come from the same IP subnet, it might actually only be
one IP address using IP address source spoofing. On the other hand, a
handful of IPs from the same subnet that are really different could indi-
cate that the local network itself was fertile ground for hackers.
Now let’s go through the column headings:
■
IP source address
The statistics are organized around an individual
IP address and are sorted in ascending order based on IP address.This
means that your home address network will be grouped together
somewhere in the report.
■
Flags
The flags are
E,W, w, O, R,
and
M,
respectively.They are a
heuristic judgment based on whether traffic from this host is deemed
one-way or whether there is two-way traffic. Scanners are typically
one-way (host to destination).
E
means ICMP errors are being sent
back.
W
means the TCP work weight is very high (>=90).
w
means
the work weight is >= 50.
O
means FINS (TCP control packet,
meaning end of conversation) are not being returned.
R
means TCP
RESET (TCP control packets are being returned).
RESETS
means
the other end thinks you made an error; these are typically returned
by TCP when no service port is open.
M
means few if any data
packets are being returned. Scanners may typically get
W,WOM
, or
something similar. If the system in question is really misbehaving, you
might get
EWORM
.
■
Apps
The application flags field uses a set of letters to convey var-
ious hints about data seen coming from the host. We call these letters
flags
or
tags
.There are hardwired (reserved) flags as well as user-pro-
grammable flags that match Unix-style regular expressions put in the
ourmon probe configuration.The user-programmable flags use pat-
tern matching via the Perl Compatible Regular Expression (PCRE)
system.The goal of the apps flag system overall is to indicate some-
thing interesting about traffic from a host. In particular, we might be
able to suggest that a particular kind of traffic was seen. We use the
apps flag field to help explain why certain classes of hosts will end up
in the TCP port report over and over again. Sometimes Web servers

Download 6,98 Mb.

Do'stlaringiz bilan baham:

1 ... 200 201 202 203 204 205 206 207 ... 387