[nsp-sec] [sec] Conficker Timecheck Daily Reports Data

Smith, Donald Donald.Smith at qwest.com
Thu Apr 23 18:23:46 EDT 2009 


(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia   

> -----Original Message-----
> From: John Fraizer [mailto:john at op-sec.us] 
> Sent: Tuesday, April 21, 2009 7:44 PM
> To: Smith, Donald; nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] [sec] Conficker Timecheck Daily Reports Data
> 
> 
> 
> On Tue, Apr 21, 2009 at 6:02 PM, Smith, Donald 
> <Donald.Smith at qwest.com> wrote:
> 
> 
> 	----------- nsp-security Confidential --------
> 	In netflow I could only corralate about 10% of the 
> sample ips I pulled from the time-check report.
> 	I didn't check the entire set but did check 100 so 
> would expect a higher rate of correlation.
> 	
> 
> 
> Donald,
> 
> I  am pretty sure that your flow data is much like mine and 
> many others here - IE; sampled.  Your sample rate is probably 
> less granular than mine simply as a function of scale.  Is it 
> possible that you're not seeing flow correlation because 
> flows are falling into the 1:1000, 1:10,000, 1:100,000 sample bin?
> 
> I know that at 1:1000, I deal with a pretty significant 
> amount of flows still and even with that sample rate, I've 
> had "known, validated by other means" hits in the ASN reports 
> that I couldn't find a flow correlation for.  It took me a 
> while to explain to the pointy-heads that sampled means 
> sampled and that means we *miss* some data in the flows.

We sample at 1/1k too:)
Yes of course we miss some I wouldn't expect a 100% validation but 10% is pretty low for noisy conficker nodes.
Other conficker reports I have checked validated at 80++ percent in netflow because conficker is fairly noisy:)

> 
> Since your network is significantly larger  than mine, I 
> would have to assume that the number of flows involved is 
> also significantly larger and there is a larger incident of 
Something like 30G a day.
> "lost to sampling" misses with respect to flow to report correlation.
> 
> I'm open to education or other smack-down by those who know 
> much more than I do.  I don't pretend to know everything but, 
> I *did" drive by a "Holiday Inn Express" on my way home.  (I 
> can't afford to stay there!)
> 
>  
> 
> 	Ok that makes sense. I am not trying to cast doubts but 
> need to feel the data is accurate before we use it to notify 
> customers. Based on your 86% correlation between the two 
> types I am feeling better about this data but there is still a gap.
> 	
> 
> 
> Oh... Not me.  I'm trying to get my "customer facing" folks 
> trained along the lines  of "If it gets sent to us by John 
> and he says it comes from one of his trusted sources, it had 
> might as well been "spoken in a thunderous voice from the 
> clouds" - mindset.
> 
> Perhaps  your customer-facing folks are better than  mine. :)
> 
> John
> 
> 
> 
>

More information about the nsp-security mailing list