[nsp-sec] TCP-23 Increase

Jason Chambers jchambers at ucla.edu
Mon Jun 30 16:09:13 EDT 2008 

Matthew.Swaar at us-cert.gov wrote:
> I'm working on comparing Ips across multiple days, see if it's a
> relatively static handful doing this.  The traffic appears to be mostly
> 60bpp SYN scanning, with some SYN-RST thrown in.
>
> Anyone have a theory about what prompted this?
>
>   

Similar observation from here; an increase started on the 25th.  
212.106.54.173 was the only host found on more than day exceeding 20k 
destinations.

No idea on the reason.  Maybe we should make friends with the PNL folks 
or figure out how to build a shared "NUANCE" [1].  I saw it at last 
year's VizSec but haven't gotten anywhere close to replicating it.

--Jason


Unique destinations per day:

        date         | dst_port | dst_host_count
---------------------+----------+----------------
 2008-06-29 00:00:00 |       23 |          99663
 2008-06-28 00:00:00 |       23 |         106823
 2008-06-27 00:00:00 |       23 |          96185
 2008-06-26 00:00:00 |       23 |          58626
 2008-06-25 00:00:00 |       23 |         104375
 2008-06-24 00:00:00 |       23 |          13476
 2008-06-22 00:00:00 |       23 |          12021
 2008-06-20 00:00:00 |       23 |          13864
 2008-06-19 00:00:00 |       23 |          11178
 2008-06-18 00:00:00 |       23 |          53817




[1] http://www.vizsec.org/workshop2007/presentations/pike-context.pdf

Bill Pike, Chad Scherrer and Sean Zabriskie.
Putting Security in Context: Visual Correlation of Network Activity with 
Real-World Information *

Abstract: To effectively identify and respond to cyber threats, computer 
security analysts must understand the scale, motivation, methods, 
source, and target of an attack.  Central to developing this situational 
awareness is the analyst's world knowledge that puts these attributes in 
context.  What known exploits or new vulnerabilities might an anomalous 
traffic pattern suggest?  What organizational, social, or geopolitical 
events help forecast or explain attacks and anomalies?  Few 
visualization tools support creating, maintaining, and applying this 
knowledge of the threat landscape.  Through a series of formative 
workshops with practicing security analysts, we have developed a 
visualization approach inspired by the human process of 
contextualization; this system, called NUANCE, creates evolving 
behavioral models of network actors at organizational and regional 
levels, continuously monitors external textual information sources for 
themes that indicate security threats, and automatically determines if 
behavior indicative of those threats is present on a network.

More information about the nsp-security mailing list