 Hi
Readers!
Does your firewall simply accumulate data and never do much
with it? Then read on for today’s article on DShield, a fascinating
organization dedicated to monitoring port scanning worldwide.
You’ll see how your data can enhance a worldwide early warning
system that detects port-scanning trends and actually does something
to stop them. It’s free, safe, and benefits everyone. Check
it out!
 |
Centralized
Desktop Administration for Your Ever-changing Network
- Click
Here |
Internet Storm Watchers
by Jackie Rosenberger
Most of us are content with the protection a firewall affords
us, and don’t bother to analyze the data the programs collect.
Which ports are being probed? How often? Is the same source
IP repeated with alarming frequency? We rarely check. The information
locked away in those unexamined log files could potentially
prevent script kiddie rampages, stop the spread of malware,
and even help track and prevent hacker break-ins. And yet those
files go largely unanalyzed, especially by home users. The firewall
does its job, and we’re satisfied.
Data, Data, Everywhere
Johannes Ullrich was certain that there was a way to use all
that stored information. A plan of action sparked to life in
his brain during the summer of 2000. When a DDoS attack was
launched against eBay, primarily involving zombies, the lack
of (and need for) a centralized place to analyze attack information
became agonizingly apparent.
Ullrich considered the ISACs (Information Sharing and Analysis
Center) model, becoming popular with the banking industry at
the time, and a thought occurred to him - why not centralize
computer attack information the way banks centralize their information?
DShield was born later that year, over Thanksgiving weekend
(“that’s what happens to me after too much turkey,” quipped
Ullrich). DShield was born as a kind of ISAC for “the little
guy.”
What is DShield?
DShield (http://www.dshield.org) is a clearinghouse for firewall
log reports. While it originally began as a volunteer effort,
bandwidth and salaries are now funded by the SANS Institute.
Just three people run DShield, including Johannes Ullrich who
continues to lead the project.
The way it works is simple: individuals with firewalls or other
intrusion detection systems download free DShield clients. Installation
is a snap – I set up the CVTWIN universal client, for use with
my ZoneAlarm firewall, in less than five minutes. The client
software regularly parses firewall log files and formats the
data, yet doesn’t interfere in any way with the operation of
the firewall.
Users can automate log file submissions or they can choose to
send in logs manually. Using the simple directions on the DShield
site, I set my scheduler to automatically send my log files
information to DShield on a daily basis. Firewall admins can
also select the “Fightback” option, which allows DShield to
use their submitted information to help users fight back against
attackers.
Information from a single firewall often has little meaning
by itself; when combined with many other firewall logs, however,
it can highlight important trends and potential problems. Ullrich
estimates that around 2000 users report their data daily, while
the number of registered uses is around 38,000. Between 200,000
and 500,000 target IPs are reported each day. Since DShield
accepts a large number of anonymous reports every day, it’s
difficult to quantify the number of systems involved. Submissions
are numerous - enough to make patterns apparent in the swirling
chaos of numbers.
| |
FREE
TRIAL!! Desktop
Administration - Manage your Windows-based desktops
and applications more efficiently, thereby significantly
reducing network administration costs. |
How is the information used?
The client software from DShield is designed to parse log
files and extract date, sourceip, source port, targetip, target
port, protocol, and flags. When a particular IP address racks
up an outstanding number of port probes, DShield reports the
situation to the offender’s ISP. Numbers make a difference.
If data proves that one IP address has probed hundreds of
thousands of system ports, then there is a strong case for
action.
“DShield provides a simple and effective method for users
to “push back” against the ubiquitous scanning activity,”
says Ullrich. “Not only do users contribute to the early warning
system, but we also notify ISPs of infected machines in a
standard format to hopefully ease the cleanup of infected
machines.”
This isn’t a heartless quest to get users kicked off their
ISPs, however. “I see the machines listed as “attacker” more
as “victims” themselves,” says Ullrich.
In many cases, the attacker literally is a victim. Many attacking
computers are infected with malicious programs that cause
them to unwittingly aid hackers or pointlessly propagate through
unguarded ports. Many owners aren’t aware of what their computers
are up to, and they’re grateful when they find out what’s
wrong so they can fix the problem.
Is it safe?
Some Internet users might want to participate in DShield’s
program, but may worry that their log files could somehow
be used against them. Is it dangerous to submit detailed firewall
log information to DShield? Ullrich doubts it. If a hacker
intercepted email during data submission to DShield, then
“the interceptor would just know that the machine is secured
by a firewall and should probably not be scanned.”
Those who are still concerned about email interception may
choose to copy and paste their log files into a submission
form and send them in that way.
Since firewall information is used to verify port probing
by particular IP addresses belonging to people with unknown
motives, DShield client users can submit anonymously. Instead
of revealing their true IP addresses, they can opt to have
the first byte changed to “10” so their real IP addresses
are not revealed in Fightback documents. Every opportunity
is afforded the submitter to stay secure and anonymous.
Data in action
In addition to its watchdog role, DShield also provides useful
data to the SANS Institute’s Internet Storm Center (http://isc.sans.org/).
Here, firewall log data is interpreted and displayed as graphs
and tables, along with noteworthy trends.
It’s possible to view data according to country of origin.
Interestingly, port-scanning activity often varies geographically.
This is especially true when viruses or worms propagate from
a country of origin and spread outwards.
Back at the DShield site, visitors can learn about particularly
active worms and viruses, see the “most popular” scanned ports,
find out who the top attacking IP address is, and view the
IP addresses of the “10 Most Wanted” port scanners, including
the number of ports the offenders have scanned. The “Are You
Cracked?” link quickly compares your IP address to the DShield’s
database of attackers. DShield’s Block List provides a range
of addresses with a history of suspicious activity. If you
maintain a block list on your firewall, DShield’s list helps
you quickly identify problem IP addresses and block them before
they reach your system.
What’s Next
Despite the impressive amount of interpretive data available
through both SANS and DShield, Ullrich still hopes to expand
DShield’s offerings. There are plans in the works to improve
summary data for users, and possibly to add user groups who
will be able to share data. Additional plans include data
collection expansion, and to perhaps include full packet content
collection and analysis, as well as log analysis for specific
applications.
What does DShield hope to ultimately accomplish? “To become
the ultimate early warning system for Internet attacks and
to ease/speed up the cleanup of infected machines,” says Johannes
Ullrich. It’s a noble goal, and one that seems readily within
DShield’s grasp.
Would you like to “push back” against firewall scanners with
DShield? Join with thousands of other users who report their
port information to DShield. Visit DShield at http://www.dshield.org,
or go straight to http://www.dshield.org/howto.html to get
more information on DShield’s firewall clients
. 
|
|
