427 Botnet fm qxd

divided by the number of SYN packets.
A value of 100 percent or high
suggests that the host might be a server.
A value of 0 on the other hand
suggests (only 
suggests
and does not prove; after all, these things are
spoofable) the host is a client. Often P2P hosts will have a value
somewhere between 0 and 100 percent.Your average bot could have
a 0 value. A Web server, on the other hand, typically has a high value.
In summary, you can view this as a suggestion as to whether or not a
host is mostly a client or a server or a little bit of both.
■
L3D/L4D
L3D/L4D stands for 
Layer-3 destinations and Layer-4 desti-
nations
.This really means the number of unique IP destination
addresses and the number of unique TCP destination port addresses
seen in packets sent by the IP host during the sample period. A larger
number for L3D suggests the host has a lot of fan-out in terms of
peer hosts it is trying to converse with (or attack). Scanners some-
times try to talk to a lot of IP hosts to find one with an open desti-
nation port. Or in some cases they might talk to one host and try all
its TCP destination ports to look for any open port. In that case, the
Layer-3 destination value would be 1 and the Layer-4 destination
value will be high.Your typical botnet client has a limited set of
attacks (let’s say five) and as a result it will scan many IP hosts but
only a few ports, because its attacks are limited to certain ports like
the Microsoft classic attack destination ports 139 and 445.
■
L4S/src
This statistic stands for 
L4 TCP source port information
.
Ourmon samples both TCP source and destination ports. Destination
port information is provided in the 
port signature
field, which we dis-
cuss in more detail later. L4S/src, on the contrary, is focused only on
source ports associated with the IP host. In this case, during one 30-
second sample period the probe stores the first 10 source ports it sees
up to a maximum of 10 and counts packets sent to those stored
ports. Most of the sampled information is not shown. For
L4S 
the
system only gives us the number of src ports seen ranging from 1 to a
maximum of 10 (take 10 to mean “many”).The 
src
field itself simply
gives us the first sampled source port number
.
The goal is to provide
a few clues about source ports but less information than about desti-

Download 6,98 Mb.

Do'stlaringiz bilan baham: