search

c-zhong / hdv2013

0 stars 0 forks source link

Is there any port scan in subnet 1? #10

Open ShawnXiao2007 opened 11 years ago

ShawnXiao2007 commented 11 years ago

  1. subnet1, is there any port scan

    2.1 which workstation has connected with many (say more than 10) hosts?

    2.2 which workstations have sent large payload?

    2.3 how many ports does each server connect?

ShawnXiao2007 commented 11 years ago

port_connection_rank

ShawnXiao2007 commented 11 years ago

I counted the number of different destinations each source IP connects to. The file is uploaded above. You may download it and change the extension name to xlsx.

There are some source IP connect to many destinations. It is interesting to analyze this.

movingname commented 11 years ago

Thanks. This is really an interesting discovery. We should pick all nodes with connection count larger than 17 to further analyze them. Can you share your code in the github repository? So others can use it and check it.

I just pick the top ones.

172.10.0.6 1020 10.0.0.8 503 10.0.0.13 498 10.0.0.12 496 10.0.0.11 494 10.0.0.7 484 10.0.0.6 481 10.0.0.10 470 10.0.0.9 467 10.0.0.14 465 10.0.0.5 451 10.7.5.5 355 172.10.0.3 277 10.1.0.75 217 172.10.0.4 186 172.20.0.4 148 10.1.0.76 143 10.1.0.77 126 172.20.0.3 117 10.199.250.2 101 10.1.0.100 90 172.30.0.4 40

c-zhong commented 11 years ago

Do you mean it's the number of one week?

c-zhong commented 11 years ago

172.10.0.6 is a fake ip, because I didn't find this ip in BigMktNetwork.txt

c-zhong commented 11 years ago

capture

It's not found in the cross IP table (week 2 data) either

ShawnXiao2007 commented 11 years ago

Right. I also did not find it.

2013/5/24 crazyappleamy notifications@github.com

172.10.0.6 is a fake ip, because I didn't find this ip in BigMktNetwork.txt

— Reply to this email directly or view it on GitHubhttps://github.com/crazyappleamy/hdv2013/issues/10#issuecomment-18423527 .

movingname commented 11 years ago

Hi Chen and Gaoyao,

I found 172.10.0.6 in the host status data using the Java parser.

172.10.0.2 dc01.bigmkt1.com 172.10.0.3 mail01.bigmkt1.com 172.10.0.4 web01.bigmkt1.com 172.10.0.40 administrator.bigmkt1.com 172.10.0.5 web01a.bigmkt1.com 172.10.0.6 web01b.bigmkt1.com 172.10.0.7 web01c.bigmkt1.com 172.10.0.8 web01d.bigmkt1.com 172.10.0.9 web01b.bigmkt1.com

So one possibility is that my parser is wrong. Gaoyao, could you please recheck it using your python parser?

Another possibility is that web01b.bigmkt1.com use two ip address.

ShawnXiao2007 commented 11 years ago

Hi Mingyi,

Sure. I will check it.

On Sun, May 26, 2013 at 10:22 PM, movingname notifications@github.comwrote:

Hi Chen and Gaoyao,

I found it in the host status data using the Java parser.

172.10.0.2 dc01.bigmkt1.com 172.10.0.3 mail01.bigmkt1.com 172.10.0.4 web01.bigmkt1.com 172.10.0.40 administrator.bigmkt1.com 172.10.0.5 web01a.bigmkt1.com 172.10.0.6 web01b.bigmkt1.com 172.10.0.7 web01c.bigmkt1.com 172.10.0.8 web01d.bigmkt1.com 172.10.0.9 web01b.bigmkt1.com

So one possibility is that my parser is wrong. Gaoyao, could you please recheck it using your python parser?

Another possibility is that web01b.bigmkt1.com use two ip address.

— Reply to this email directly or view it on GitHubhttps://github.com/crazyappleamy/hdv2013/issues/10#issuecomment-18478321 .

ShawnXiao2007 commented 11 years ago

172.10.0.9 web01b.bigmkt1.com 172.10.0.6 web01b.bigmkt1.com My result is the same with yours.

On Sun, May 26, 2013 at 10:31 PM, Gaoyao Xiao windxing2007@gmail.comwrote:

Hi Mingyi,

Sure. I will check it.

On Sun, May 26, 2013 at 10:22 PM, movingname notifications@github.comwrote:

Hi Chen and Gaoyao,

I found it in the host status data using the Java parser.

172.10.0.2 dc01.bigmkt1.com 172.10.0.3 mail01.bigmkt1.com 172.10.0.4 web01.bigmkt1.com 172.10.0.40 administrator.bigmkt1.com 172.10.0.5 web01a.bigmkt1.com 172.10.0.6 web01b.bigmkt1.com 172.10.0.7 web01c.bigmkt1.com 172.10.0.8 web01d.bigmkt1.com 172.10.0.9 web01b.bigmkt1.com

So one possibility is that my parser is wrong. Gaoyao, could you please recheck it using your python parser?

Another possibility is that web01b.bigmkt1.com use two ip address.

— Reply to this email directly or view it on GitHubhttps://github.com/crazyappleamy/hdv2013/issues/10#issuecomment-18478321 .

movingname commented 11 years ago

Great thanks!

From your destination count result, it seems that the port scan hypothesis is not well supported, because all these high connection IPs are server's. And it is natural that they have many connections...

But to further prove or disprove this hypothesis, we should answer question 2.2 and 2.3, especially 2.3. Hi, Gaoyao, if it is a piece of cake for you, can you do it? Thanks!

ShawnXiao2007 commented 11 years ago

it could be. I will try.

ShawnXiao2007 commented 11 years ago

The statistics of port connections is more interesting. Below is a list of IP addresses that connect to the largest number of ports.

There are two IP in the Internet send packets to 65536 ports. This is the total number of possible TCP ports, right? So the two are very suspicious.

10.10.11.15 65536 10.9.81.5 65536 172.30.0.4 64183 172.20.0.4 59254 172.20.0.15 57486 172.10.0.6 40971 172.10.0.3 17094 172.10.0.4 9967 10.7.5.5 4418 172.20.0.3 783 10.0.0.13 724 10.0.0.8 705 10.0.0.12 699 10.0.0.11 678 10.0.0.7 675 10.0.0.6 652 10.0.0.14 636

movingname commented 11 years ago

Yes! This is very good! We can think on how to further investigate. Any ideas?

ShawnXiao2007 commented 11 years ago

I think further investigate their connection to the internal machines should be necessary.

movingname commented 11 years ago

Yes. This is one task.

Other possible tasks are:

  1. When did this port scan start?
  2. Can we correlate this port scan with other events in the system?

Now we know that there is some port scans, we need to know whether they are related to the true story. For example, it is possible that it is just a port scan from some bad kids.