Who's that Knocking on My Door?
Revised: 2005/08/24
We
all know (or damn well should
know) that the Internet is not a friendly
place, particularly if you're an unpatched, unprotected Windoze box.
There are plenty, plenty, plenty of traps for the unwary
(particularly if you use Outlook or Internet Explorer); visit a site,
click a link, open an attachment, and Whap!
Or,
in the current vernacular, PWNED.
But what is far worse, there are nasties
out there that are actively
looking for you. You don't have to go to them,
they'll come to you! Frequently! And if you have an
unprotected system, Whap!
The computer you paid good money for, the high-speed internet
service you pay every month for, has become yet another cyberspace
disease vector; just another digital flea spreading the
cyber-black-plague.
This is a simple study of the beasties
that come knocking at your (and my) door.
Collecting the Data
Most routers provide a hardware
firewall and network
address translation (NAT).
They isolate and protect you from a lot of the nasties on the
Net. If you have
high-speed internet access, you need a router. One
of the things many routers provide is a way to log activity, both
incoming and outgoing. I use a router that provides this
capability. I also run a very nice piece of (free) software,
WallWatcher,
that records the information the router sends out in log files.
Here's a chunk of a typical WallWatcher log
file (reformatted slightly):
2005/08/18 01:15:13.02 P
61.53.154.89
44908 192.168.1.101 1027
2005/08/18 01:17:05.34 P 222.189.38.34
32773 192.168.1.101
1027
2005/08/18 01:18:58.86 P 24.6.155.31
3865 192.168.1.101 80
2005/08/18 01:18:58.86 O 24.6.155.31
3865
192.168.1.101 80
2005/08/18
01:20:11.95 P 202.99.172.160
46855 192.168.1.101 1026
2005/08/18 01:20:11.95 P
202.99.172.160
46855 192.168.1.101 1027
2005/08/18
01:20:14.20 O 17.254.0.31
time.apple.com
123 192.168.1.101 1392
2005/08/18 01:22:08.22 P 63.220.40.2
2744 192.168.1.101 1433
2005/08/18 01:22:08.22 O 63.220.40.2
2744 192.168.1.101 1433
2005/08/18 01:26:04.22 P 222.47.76.232
54291 192.168.1.101 1026
2005/08/18
01:26:46.09 P 218.83.153.58
35504 192.168.1.101 1026
2005/08/18 01:28:53.55 P 219.150.118.46
21048 192.168.1.101 1026
This shows what happened on my
network on August 18, 2005 from 1:15 to 1:30 in the morning.
Do you
know what your
computers were doing at that time? The first two columns are
pretty easy to figue out -- local date and time. The third
one is more interesting. The "P" stands for an unsolicited
probe. That's an attempt to contact a port that's not open.
Stateful
firewalls block this kind of stuff. So, at
1:15 and a little bit in the morning, someone came knocking.
Who? A computer located at IP address 61.53.154.89.
Where is that? If you enter that address into the SANS web page,
DShield.org
tells you that 61.53.154.89 belongs to a well-known abuser
in China. I say "well known abuser" as when I checked,
DShield
had 133241 recorded complaints against that ISP in the last 30 days.
The last complaint was sent 2005/08/05 and big surprise, no
reply received! Reading along, 44908 is the source port, not of much
interest to us. 192.168.1.1 is the local destination IP
address, one of my systems, also not of much interest since it's been
translated (NAT by
my firewall).
Of interest is the last item, 1027.
That's the
destination port. Looking up 1027
on SANS shows
that it's used by known exploits.
In other words, a system in China is
trying to take over my computer. If I was running an
unprotected Windoze box, it would have.
And so would the system at
222.189.38.34, also in China, less
than two seconds later. Oh, there are about
140,000 complaints against that
Chinese ISP in the last 30 days. I don't think they're
innocent bystanders, somehow.
Reading down the log shows an attempt by
someone at 24.6.155.31 to contact
port 80,
which is used by web (http) servers. The
"O"(outgoing) record following is a reply from one of my systems
telling them to piss off (refusing the connection). Some
fanatics
will point out, correctly so, that by telling the other end to piss
off, I'm letting them know there's something listening at my end.
Most ports are secured, which means that connect attempts
don't
elicit any response at all.
The next pair, 202.99.172.160 (China, no
big surprise) whacking at ports 1026
and 1027
is pretty typical of the pattern. I see a lot of pairs like
that, or runs of ports.
The following "O" record, going to port
123
at 17.254.0.31 (time.apple.com) is a box on my network doing a
network time protocol (NTP) check on its internal clock.
The whacks directed to port 1433
are an attempt to take advantage of a known bugs in Microsoft's SQL
server; another take-over attempt.
The last three lines are mundane
takeover attempts directed at port 1026,
which is used by, surprise, surprise, Microsoft software.
Another big
surprise -- the attacks are coming from China!
Nine attempts in under 15 minutes --
that's a little
slow. Most of the time, I get at least one per minute
(average 42 per hour with a crazy peak above 1200 per hour).
Half of them arrive within 60 seconds of another
attempt. And remember, this is on an isolated home system,
not
an
advertised business! This shows organized attempts to
scan the IP space used by high-speed internet connections, looking for
vulnerable systems.
Processing the Data
I run the log files through
hacks
written in
python (hacks
available on request). One of the things they do is look up
the source IP
address using a free
database to get the country name. Here's a
breakdown of the top
twelve,
the dirty dozen countries, showing how many hits they produced, and
their percentage of the total.
At 08/24/05 11:12:44 we have
150505 records:
Dirty dozen countries:
102045 67% China
28860 19% United States
3717 2% Republic Of Korea
2599 1% Canada
1201 0% Germany
1119 0% United Kingdom
978 0% Taiwan
783 0% Japan
776 0% Atlantis
664 0% Australia
643 0% Spain
610 0% Hong Kong
Not too surprising, really. Two thirds
of the attacks come from China.
What's the
"Atlantis" entry? Didn't know they had access to the
internet?
Well, there are IP addresses not in the database; when my
hack
trips across one of those, it returns "Atlantis." It also
knows
about "reserved" ranges such as 192.168.xxx.xxx.
Here's the list of dirty dozen source IP
addresses:
Dirty dozen source IPs:
61.152.158.xxx 16833 11% China
222.189.38.xxx 13749 9% China
218.92.11.xxx 8276 5% China
61.235.154.xxx 5657 3% China
218.92.13.xxx 4201 2% China
218.66.104.xxx 2764 1% China
219.148.64.xxx 2664 1% China
222.77.185.xxx 2368 1% China
221.211.255.xxx 2147 1% China
220.168.156.xxx 2104 1% China
222.141.69.xxx 2042 1% China
222.233.52.xxx 1865 1% Republic Of Korea
Fascinating -- 11% of the assaults of my
system come from one IP
in China!
If my ISP were to flush all packets originating from a few IP
addresses, think how much capacity they could recover! And
these
aren't random events. My logs show probes from some of these
systems every few
minutes for months!
Someone is dedicating resources to the task of probing the
Internet and taking over systems! (Yeah, I could resolve these to the AS
level, which would collapse the list some.)
What are all these things trying to
do? Take over any computer they can, that's what!
They're fishing for known vulnerabilities, the vast majority
of them in Microsoft Windows. Here's what my logs say they're
poking away at.
Not all
of these are malicious. Port 3074
is used by XBOX Live, so activity (1%, big deal) on that port is
probably local XBOXen looking for their kin. 6881
is used by the BitTorrent p2p system; all that activity occurred over a
few days. But the rest
(about 80%, particularly 1026, 1027,
1433,
1434)
are as innocent as a brick through a window in the dead of night.
Think you're safe? You might be, if you're
running a Mac (with current updates). These things are
knocking at my door, constantly,
and thanks to firewalls and well-configured systems, there's nobody
home to answer. They can't get anywhere.
An important term in the biz is "Zero
Day Exploit." What that means is that the same day
a vulnerability is announced, something nasty (an exploit) pops up in
the wild that takes advantage of it. Zero days between
discovery
and exploitation. One of the latest little problems (in the Microsoft
camp) doesn't have a patch available for it -- visit the wrong website
with Explorer, and your machine will be taken over in the blink of an
eye... All the latest patches and seventeen cloves of garlic
taped to your display won't help; that's what zero-day exploit means --
so don't use Explorer!
What can I do?
Other than run a Mac (as I do)? Use a hardware
firewall between your systems and the Internet. Be
sure you've
changed default admin names and passwords! If you're using
wireless,
at least
turn off broadcast
SSID,
and use WEP or
WPA. (A friend of mine saw a wireless network with the SSID
"Searching" -- very cool...) If you can, restrict access to specific
MAC addresses. Use and update (fanatically!) anti-virus and firewall
software on all
machines. The (free)
anti-virus software I use updates itself daily. XP and Mac OSX both
have free firewalls built-in. Dump Outlook and Explorer -- use Firefox and Thunderbird. Keep
current backups.
Oh, if you have a router that can record
this kind
of information, and a system to collect it, I'd like to see log files
of incoming probes. (I don't need to see your outgoing stuff,
and
you probably don't want me to see it, either. My teenage son
certainly was surprised to learn that outgoing requests were logged!)
And if you don't understand the jargon
in the previous paragraphs? Use
a Mac. Cultivate geek friends who know what they're doing.
You'll need their help when
your computer gets nailed. Turn
off your computer when you're not using it. Pray.
Namaste--
Bob