Blyth et al: ********************************** Context: dialup to worldnet.att.net, dynamic IP Connect time this date: +- 20 hours Timestamps: US Pacific daylight savings, GMT -09:00, synch by xntpd Tools: snort, ipchains, portsentry, logcheck, iptraf ********************************** AT&T seems to have sucessfully instituted ingress filtering for tcp/80 packets from sources IP's external to its class A 12.x.x.x, but hasn't done much to protect from the enemy within. I'm seeing probes from 12.82.x.x, 12.183.x.x, 12.21.x.x, 12.10.x.x, 12.153.x.x, 12.99.x.x, etc etc. I'm on a dialup on 12.82.x.x Counts: 08/09/01 total, 177 packets, usually in triplets, so say 59 unique IP's 08/10/01 to 08:45am PDST, 35, so say 11-12 unique IP's - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsageat_private "The web is so, like, five minutes ago..." Blyth A J C (Comp) wrote: > Here at the School of Computing (University of Glamorgan) our IDS systems > are only seeing about 50 scans per day. How many scans are other people > seeing? > > > Andrew > > -----Original Message----- > From: Richard Bejtlich [mailto:richardat_private] > Sent: 08 August 2001 04:29 > To: intrusions; incidents > Subject: Personal stats on satx.rr.com ARP traffic > > > Hi all, > > Code Red continues to amaze. First I was surprised by the hundreds of > individual IPs scanning my single, no-web-server IP (about 700/day the > last three days). Now I'm floored by the ARP traffic. First I > collected 1000 ARP packets to see how fast they were arriving: > > 21:58:37.540138 arp who-has 24.160.158.68 tell 24.160.158.1 > 21:58:37.581758 arp who-has 24.167.113.97 tell 24.167.112.1 > 21:58:37.618142 arp who-has 66.69.10.33 tell 66.69.10.1 > 21:58:37.708154 arp who-has 24.162.168.66 tell 24.162.168.1 > ....continues... > 21:59:38.586001 arp who-has 24.162.169.18 tell 24.162.168.1 > 21:59:38.806825 arp who-has 24.167.112.82 tell 24.167.112.1 > 21:59:38.870976 arp who-has 24.162.168.83 tell 24.162.168.1 > > That's roughly 1000 ARP requests in one minute 1 second, or 16.4 ARP > requests per second. > > Then I collected 10000 ARP packets to see how the longer timespan fared: > > 22:00:42.877487 arp who-has 24.28.153.143 tell 24.28.153.1 > 22:00:42.915864 arp who-has 24.162.170.86 tell 24.162.170.1 > 22:00:43.086824 arp who-has 24.160.136.166 tell 24.160.136.1 > 22:00:43.143667 arp who-has 24.167.112.235 tell 24.167.112.1 > ...continues... > 22:11:30.739916 arp who-has 24.28.153.98 tell 24.28.153.1 > 22:11:30.868589 arp who-has 24.160.159.67 tell 24.160.158.1 > 22:11:31.031757 arp who-has 24.167.113.210 tell 24.167.112.1 > > That session showed 10000 ARP requests in 10 minutes 48 seconds, or 15.4 > ARP requests per second. > > I've never seen anything like this. > > Richard > http://taosecurity.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 12:56:57 PDT