427 Botnet fm qxd

Roughly one easy way to understand this is that we are comparing the
number of control packets to the count of all packets sent. If it is 100 percent,
that means all control packets were sent, which means either the client/server
TCP protocol is broken or somebody is doing some sort of scan. We do some
funny things like put RESETS into the denominator so that if a host attacks
with data packets and only gets RESETS back, it will still have a nonzero
work weight.
In the time we have used the TCP work weight, we have noticed several
kinds of anomalous hosts showing up that could be considered false positives
(benign as opposed to bad). Not everything that shows up there is a scanner.
Hosts show up in the port signature report if they are inefficient in terms of
TCP control versus data. For example, you would never see a large Web down-
load or an FTP file exchange show up simply because there are very few con-
trol packets and a lot of data packets. Here are some known causes that might
be considered false positives for hosts showing up in the port report:
■
Sometimes e-mail servers will show up when they are having a hard
time connecting to a remote e-mail server.This is because e-mail will
try over and over again to connect.This is its nature.This does not
happen with e-mail servers all the time, and ironically it could
happen due to e-mail servers trying to reply to spam with fake IP
return addresses.
■
P2P clients (hosts using P2P) may show up.This is because P2P hosts
have to somehow know an a priori set of peer hosts with which to
communicate. If that set of peer IP hosts is stale (out of date), many
attempts to connect to them will fail. Gnutella in particular can cause
these sorts of false positives.This is why we flag it with an application
flag. Some P2P applications are more likely to show up than others.
For example, Gnutella is more likely to show up than BitTorrent.
■
Some TCP clients could get unhappy when their server is taken
down and might “beat up” the network with SYNS trying to recon-
nect to the server.This might be seen as a false positive or a useful IT
indicator of a client/server connection problem.

Download 6,98 Mb.

Do'stlaringiz bilan baham: