Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Origins of scans

  1. #1
    Member imported_anubis2k7's Avatar
    Join Date
    Jun 2006
    Posts
    115

    Default Origins of scans

    Hi,

    I have a question for all you guys out there running IDS systems. I have been running an IDS (snort) on my network for the past 6 months, and I am noticing that almost all the scans/attempted hacks are coming from the following countries:

    China
    Singapore
    Taiwan
    Korea
    Czech Republic
    UK

    (the first is the most frequent, the last is the least)

    My IDS is on the network for a small organization on the east coast of the US, and as far as I know, my group has no connections, business or otherwise, with any of these countries.

    I tried searching the net for these IP addresses, most of the time I did not find anything.

    Why are all the scans coming from these countries/areas? Are there a large group of “proxies” or other means of concealing one’s IP in these countries that I do not know about?

    Thanks.

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by anubis2k7 View Post
    Hi,

    I have a question for all you guys out there running IDS systems. I have been running an IDS (snort) on my network for the past 6 months, and I am noticing that almost all the scans/attempted hacks are coming from the following countries:

    China
    Singapore
    Taiwan
    Korea
    Czech Republic
    UK

    (the first is the most frequent, the last is the least)

    My IDS is on the network for a small organization on the east coast of the US, and as far as I know, my group has no connections, business or otherwise, with any of these countries.

    I tried searching the net for these IP addresses, most of the time I did not find anything.

    Why are all the scans coming from these countries/areas? Are there a large group of “proxies” or other means of concealing one’s IP in these countries that I do not know about?

    Thanks.
    I'm in a similar situation as you. Small company on the east coast and I get attacked all the time from such places. I've determined that we will never in the course of our business get legitimate email from any of those nations so I have effectively dropped those areas permanently. I've just enabled some Routing rules that traffic that comes from there get's dropped.

    Works well, spam has decreased dramatically.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    I get these as well (on the west coast on high-speed internet); mostly from China and worm propagation attempts (port 1027/1028).

    China has been known to have government-sponsored hackers and worm programmers. Ever since my former cable company was bought out by another company, they seem to have shuffled me on an IP range that has become more prone to scanning/worm propagation, specifically from the countries you've listed (and quite a bit of crap from Japan too). It also appears that now I'm getting more SSH hack attempts, where at one point I had to reinstall my Firewall software (IPCop).
    dd if=/dev/swc666 of=/dev/wyze

  4. #4
    Member elazar's Avatar
    Join Date
    Sep 2007
    Posts
    217

    Default

    Most, if not all, companies, large and small see this kind of traffic. Larger companies generally have an easier time blocking it up stream than their smaller counterparts. As swc666 mentioned, many of those countries, China especially, maintain active government-sponsored hacker groups and have very robust Information Warfare programs. Corporate espionage is a whole different story. Anyhow, getting back to the point, some of that traffic is big bad blackhats and some of it is just compromised machines on bot networks. China takes the cake with the most people connected the inturweb(thanx streaker) so its not surprising that there is a lot of traffic from them, especially as the Storm worm continues to morph and evade detection. As streaker had mentioned, you can block a lot of this stuff. Both Team Cymru(http://www.cymru.com/) and the SANS ISC(http://isc.sans.org) maintain IP and BGP(if you are announcing your own AS numbers) block lists. The SANS ISC also maintains a search engine for IP's and ports. The statistics are based on DShield input. DShield is a distributed firewall/IDS project, where any user can submit their logs to be processed centrally, allowing SANS to identify patterns and trends. I would suggest running some of those IP blocks through their database.

    E
    dd if=/dev/urandom of=/mybrain

  5. #5
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    As for attacks that come from the US or the GreatWhite North, I hunt them down and dispatch them without discretion.

    After all, interference with a public utility is frowned upon by the Fed's.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  6. #6
    Member elazar's Avatar
    Join Date
    Sep 2007
    Posts
    217

    Default

    Quote Originally Posted by streaker69 View Post
    As for attacks that come from the US or the GreatWhite North, I hunt them down and dispatch them without discretion.

    After all, interference with a public utility is frowned upon by the Fed's.
    Hehe, I wonder if the Castle doctrine applies here, after all, it is a form of breaking and entering...
    dd if=/dev/urandom of=/mybrain

  7. #7
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by elazar View Post
    Hehe, I wonder if the Castle doctrine applies here, after all, it is a form of breaking and entering...
    Actually I normally just hunt down the NMAP'ers. Since most ISP's do not allow Recon on other networks, I just hunt them down, report them to abuse@ with a warning that I don't want to see another attack from that IP.

    I have yet to see a second attack from an IP that I've reported, and the S'kriddie is left explaining to Daddy why their internet connection is turned off.

    I don't bother hunting down obvious zombies, it's not worth the time.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  8. #8
    Member elazar's Avatar
    Join Date
    Sep 2007
    Posts
    217

    Default

    Quote Originally Posted by streaker69 View Post
    Actually I normally just hunt down the NMAP'ers. Since most ISP's do not allow Recon on other networks, I just hunt them down, report them to abuse@ with a warning that I don't want to see another attack from that IP.

    I have yet to see a second attack from an IP that I've reported, and the S'kriddie is left explaining to Daddy why their internet connection is turned off.

    I don't bother hunting down obvious zombies, it's not worth the time.
    True that, I wish I had the time to report, going through my logs is bad enough...
    dd if=/dev/urandom of=/mybrain

  9. #9
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by elazar View Post
    True that, I wish I had the time to report, going through my logs is bad enough...
    A while ago I had written my own web interface into the Snort database that made reporting much easier. I should probably dig it back out and get it running again. It basically had a "One Click Bitch" button. One click and you have an email prepped and ready to go to the offender's ISP with logs included.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  10. #10
    Member elazar's Avatar
    Join Date
    Sep 2007
    Posts
    217

    Default

    Quote Originally Posted by streaker69 View Post
    A while ago I had written my own web interface into the Snort database that made reporting much easier. I should probably dig it back out and get it running again. It basically had a "One Click Bitch" button. One click and you have an email prepped and ready to go to the offender's ISP with logs included.
    Now thats what we call efficient
    dd if=/dev/urandom of=/mybrain

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •