Port Sweeps

Port sweeps are interesting because they are usually indications that either a worm or a human attacker is looking to compromise additional systems via a specific vulnerability in a particular service. The graph in Figure 14-5 plots external IP addresses against the number of unique local addresses to which each external address has sent packets:

# psad -m iptables.data --gnuplot --CSV-fields "src:©notll.ll.0.0/l6 dst:ll.ll.0.0/l6,©countuniq" --gnuplot-graph points --gnuplot-xrange 0:26000 --gnuplot-yrange 0:27 --gnuplot-file-prefix figl4-5 $ gnuplot figl4-5.gnu

Gnuplot produces the graph shown in Figure 14-5. (Note above the not at © to negate the 11.11.0.0/16 network, and the countuniq directive at © to count unique destination addresses.)

Figure 14-5: External sources vs. number of unique local destinations

As shown in Figure 14-5, most external addresses (on the x-axis) send packets to one or two destination addresses (counted on the y-axis). However, several external addresses connect to as many as 24 addresses on the honeynet network. This is especially true for the external addresses represented by the range from about 18000 to 26000. The fig14-5.dat file (which can be downloaded from http://www.cipherdyne.org/LinuxFirewalls) indicates that the IP address range of 18000 to 26000 corresponds to 63.236.244.77 to about 221.140.82.123 in the iptables data set.

Some sources in the Scan34 iptables data set repeatedly try to connect to particular ports on a range of target systems. Figure 14-6 graphs the number of packets to destination ports from external source addresses. The graph is three-dimensional, so the x-axis is for the source address, the y-axis shows the port numbers, and the z-axis is the packet count. (Note the --gnuplot-3d argument on the psad command line.)

# psad -m iptables.data --gnuplot --CSV-fields src:not11.11.0.0/16 dp:count --gnuplot-graph points --gnuplot-3d --gnuplot-view 74,77 --gnuplot-file-prefix fig14-6

$ gnuplot fig14-6.gnu

# psad -m iptables.data --gnuplot --CSV-fields src:not11.11.0.0/16 dp:count --gnuplot-graph points --gnuplot-3d --gnuplot-view 74,77 --gnuplot-file-prefix fig14-6

$ gnuplot fig14-6.gnu

Figure 14-6: External source addresses vs. destination ports vs. packet counts

The outlier of over 2,000 packets (on the z-axis) to a port less than 10,000 (on the y-axis) is shown above the general plane of source addresses versus destination ports (where the general count is less than 500 in the plane). We can see by looking through the fig14-6.dat file that this point corresponds to the IP address 200.216.205.189, which has sent a total of 2,244 packets to TCP port 3306 (MySQL):

This certainly looks like a port sweeper. Indeed, the graph shown in Figure 14-7 illustrates that the 200.216.205.189 source IP address connected to port 3306 on many destination addresses in the 11.11.0.0/16 subnet (we restrict the next graph to just the source IP address 200.216.205.189 in bold below):

# psad -m iptables.data --gnuplot --CSV-fields "dst dp:3306,count" --CSV-regex "SRC=200.216.205.189" --gnuplot-graph points --gnuplot-yrange 0:150 --gnuplot-file-prefix fig14-7 $ gnuplot fig14-7.gnu

The graph in Figure 14-7 shows the number of packets (on the y-axis) sent by the IP address 200.216.205.189 to TCP port 3306 for each destination IP address (on the x-axis). A total of 24 destination addresses were involved in the port sweep, and on some systems over 120 packets were sent to port 3306.

psad iptables log visualization: dst dp;3306rcount

(dst,dp) +

+ +

+

+

+ + +

+

+ +

+

+

+ 1 '

Figure 14-7: MySQL 3306 port sweep

Another way to visualize the above information is to use AfterGlow to generate a link graph. Such a graph contains the source and destination IP addresses in a viewable format and shows the series of packets from the source IP address 200.216.205.189 to several destinations in the 11.11.0.0/16 subnet:

# psad -m iptables.data --CSV --CSV-fields "src:200.216.205.189 dst dp:3306" --CSV-max 6 | perl afterglow.pl -c color.nf | neato -Tpng -o fig14-8.png

The psad interface to AfterGlow produces the link graph shown in Figure 14-8. (See the --CSV-max argument to psad in bold above, which is used to limit the number of data points to six, for readability.)

11,11.79.69

11,11.79.69

11.11.79.70

Figure 14-8: Link graph of MySQL port sweep

11.11.79.70

Figure 14-8: Link graph of MySQL port sweep

Was this article helpful?

0 0

Post a comment