Collaboration

Internet Storm Center tracks the Internet's bad weather

Protecting a network requires a broad view of what is going on with the Internet. To help with that view, the SANS Institute has developed the Internet Storm Center. This site might just save you from being caught out in the rain.


Many CIOs rely on server firewalls and security software to detect port scanning and other suspicious activities that might reveal network attacks in progress. While this strategy can be effective in detecting attacks aimed at the specific network, it only offers a small view of what is going on with the rest of the Internet. A view of the overall Internet climate would let you chart the path of attacks worldwide, enabling you to better prepare for one that might be headed your way.

The big picture comes to you thanks to the Internet Storm Center (ISC), a cooperative venture created in 2001. ISC, run by the SANS Institute of Bethesda, MD, coordinates analysis of Internet security information provided by firewall and other intrusion-detection system logs. The data comes through U.S. information and analysis centers, worldwide computer emergency response teams, volunteer ISPs, corporations, universities, and center staff. The program is funded by tuition paid by students attending the SANS Institute security programs.

The Center's mission
Beyond alerting the public, key ISPs, and industries to danger, the ISC tries to gather copies of suspicious code early in an attack. In one case, it even convinced Internet backbone providers to shut down traffic to certain sites. That was the result in March 22, 2001, when the ISC began logging increased probes of Port 53 used by DNS. In one geographic area, probes shot up from an average of 200 per day to 50,000 on that particular day.

By combing the data, analysts discovered that a new worm, called LION (one that infects Linux, for a change), had been released. LION searches for a vulnerability in an older version of the Linux BIND DNS server and exploits it by, among other things, copying passwords and setting up infected machines to launch DoS (denial of service) attacks.

Symantec's virus definition pegs LION as a low threat, reporting that it has only caused 49 infections in the wild. Perhaps this good result is due to the speed with which the ISC was able to obtain a copy of the code for reverse engineering and antivirus creation and its ability to persuade the UUNET backbone to cut traffic to a suspicious address in China that was receiving passwords.

The Internet Storm Center Web site
The ISC Web site provides graphical information and text descriptions of trends. The first item you'll see is an icon indicating the threat level (Figure A).

Figure A
The Internet is safe from storms today.


Below it, pie charts superimposed over a world map slice up the top port attacks by percent (Figure B). Text on the map also lists the victim-port and its functions. Clicking on any text takes you to a tabular country-by-country report of that port's activity.

Figure B
Even in a safe world, attacks continue.


Below the map, you'll find a list of the top 10 attacked ports and the top 10 trends (icons indicate No Change, Increasing, and Decreasing). Click any member of the list to see a detailed report. Among the data shown are 40 days of activity, a table of daily activity, information about services (both legitimate and illegitimate) registered for the port, and, perhaps most helpful, a list of vulnerabilities. For example, Port 139 contains an entry that under Windows 95/NT it is vulnerable to WinNuke, an "Out Of Band" (OOB) data denial of service through the NETBIOS port." Figure C shows the page for Port 139, used by NETBIOS.

Figure C
Activity for Port 139 was decreasing on July 10, 2003.


Note that you can type any port number in the text box above the chart and press [Enter] to see data for that value. There are various ways to drill down into the information. From the home page, click Top 10 for three useful items:
  • A list of the most attacked ports and a quick link to a 30-day history
  • The top 10 source IPs responsible for the attacks
  • A block-list that you can add to your security system and Web server

Source reports, as shown in Figure D, are also quite interesting and revealing. To view them, click the Source link on the menu.

Figure D
The source report identifies where suspicious traffic originates and how many targets of the traffic reported it.


The data is condensed, so continue clicking on a Source entry and the information will open.

DShield
After opening the data, you'll eventually be taken to DShield.org, which lists Whois information for that address, and the Top 10 ports it has attacked (if available), along with start and end dates. In addition to its own detailed source list, DShield also catalogs e-mail attempts made to get an ISP to close down the offender, along with the ISP's response (often cooperative, but sometimes downright insulting).

Further, you can check for an entry of your own IP address in DShield's database by clicking the Are You Cracked? Click Here To See link on its home page. As the organization points out, "If your IP address appeared in our database, it would be a strong indicator that your machine was possibly cracked and is accessing other machines in a manner that their firewalls log as hostile." Thus, your network can be revealed as another important datum, analogous to precipitation, in the ISC's weather report.

While they share much of the same data, DShield's site is somewhat easier to navigate than ISC's, and you might prefer to use it for obtaining the following reports:
  • Top 10 offenders according to the DShield database
  • Top 10 most probed ports
  • Thirty day history of a user-selected port
  • Information about an IP address
  • Summary of recent activity from a Subnet
  • List of IP address ranges that you might want to block

ISC wants you
In addition to receiving information about the state of Internet weather, you can participate. If you're interested in forwarding your security data to the ISC (identifying information is stripped), send an e-mail to isw@sans.org (apinfo@incidents.org for Asia-Pacific companies). DShield's Distributed Intrusion Detection Software is used to forward your information. You can read more about how to submit logs at DShield's Web site.

The ISC won't make your systems invulnerable (ask SANS—its own Web site was hacked and defaced in 2001 by the now-incarcerated "Fluffi Bunni," a.k.a. Lynn Htun, a former Siemens AG employee). It is, however, a useful service for any enterprise with an Internet connection. For most CIOs, the chances are reasonable that the ISC can prepare you to weather an oncoming Internet storm.

Editor's Picks