Open ShawnXiao2007 opened 11 years ago
I counted the number of different destinations each source IP connects to. The file is uploaded above. You may download it and change the extension name to xlsx.
There are some source IP connect to many destinations. It is interesting to analyze this.
Thanks. This is really an interesting discovery. We should pick all nodes with connection count larger than 17 to further analyze them. Can you share your code in the github repository? So others can use it and check it.
I just pick the top ones.
172.10.0.6 1020 10.0.0.8 503 10.0.0.13 498 10.0.0.12 496 10.0.0.11 494 10.0.0.7 484 10.0.0.6 481 10.0.0.10 470 10.0.0.9 467 10.0.0.14 465 10.0.0.5 451 10.7.5.5 355 172.10.0.3 277 10.1.0.75 217 172.10.0.4 186 172.20.0.4 148 10.1.0.76 143 10.1.0.77 126 172.20.0.3 117 10.199.250.2 101 10.1.0.100 90 172.30.0.4 40
Do you mean it's the number of one week?
172.10.0.6 is a fake ip, because I didn't find this ip in BigMktNetwork.txt
It's not found in the cross IP table (week 2 data) either
Right. I also did not find it.
2013/5/24 crazyappleamy notifications@github.com
172.10.0.6 is a fake ip, because I didn't find this ip in BigMktNetwork.txt
— Reply to this email directly or view it on GitHubhttps://github.com/crazyappleamy/hdv2013/issues/10#issuecomment-18423527 .
Hi Chen and Gaoyao,
I found 172.10.0.6 in the host status data using the Java parser.
172.10.0.2 dc01.bigmkt1.com 172.10.0.3 mail01.bigmkt1.com 172.10.0.4 web01.bigmkt1.com 172.10.0.40 administrator.bigmkt1.com 172.10.0.5 web01a.bigmkt1.com 172.10.0.6 web01b.bigmkt1.com 172.10.0.7 web01c.bigmkt1.com 172.10.0.8 web01d.bigmkt1.com 172.10.0.9 web01b.bigmkt1.com
So one possibility is that my parser is wrong. Gaoyao, could you please recheck it using your python parser?
Another possibility is that web01b.bigmkt1.com use two ip address.
Hi Mingyi,
Sure. I will check it.
On Sun, May 26, 2013 at 10:22 PM, movingname notifications@github.comwrote:
Hi Chen and Gaoyao,
I found it in the host status data using the Java parser.
172.10.0.2 dc01.bigmkt1.com 172.10.0.3 mail01.bigmkt1.com 172.10.0.4 web01.bigmkt1.com 172.10.0.40 administrator.bigmkt1.com 172.10.0.5 web01a.bigmkt1.com 172.10.0.6 web01b.bigmkt1.com 172.10.0.7 web01c.bigmkt1.com 172.10.0.8 web01d.bigmkt1.com 172.10.0.9 web01b.bigmkt1.com
So one possibility is that my parser is wrong. Gaoyao, could you please recheck it using your python parser?
Another possibility is that web01b.bigmkt1.com use two ip address.
— Reply to this email directly or view it on GitHubhttps://github.com/crazyappleamy/hdv2013/issues/10#issuecomment-18478321 .
172.10.0.9 web01b.bigmkt1.com 172.10.0.6 web01b.bigmkt1.com My result is the same with yours.
On Sun, May 26, 2013 at 10:31 PM, Gaoyao Xiao windxing2007@gmail.comwrote:
Hi Mingyi,
Sure. I will check it.
On Sun, May 26, 2013 at 10:22 PM, movingname notifications@github.comwrote:
Hi Chen and Gaoyao,
I found it in the host status data using the Java parser.
172.10.0.2 dc01.bigmkt1.com 172.10.0.3 mail01.bigmkt1.com 172.10.0.4 web01.bigmkt1.com 172.10.0.40 administrator.bigmkt1.com 172.10.0.5 web01a.bigmkt1.com 172.10.0.6 web01b.bigmkt1.com 172.10.0.7 web01c.bigmkt1.com 172.10.0.8 web01d.bigmkt1.com 172.10.0.9 web01b.bigmkt1.com
So one possibility is that my parser is wrong. Gaoyao, could you please recheck it using your python parser?
Another possibility is that web01b.bigmkt1.com use two ip address.
— Reply to this email directly or view it on GitHubhttps://github.com/crazyappleamy/hdv2013/issues/10#issuecomment-18478321 .
Great thanks!
From your destination count result, it seems that the port scan hypothesis is not well supported, because all these high connection IPs are server's. And it is natural that they have many connections...
But to further prove or disprove this hypothesis, we should answer question 2.2 and 2.3, especially 2.3. Hi, Gaoyao, if it is a piece of cake for you, can you do it? Thanks!
it could be. I will try.
The statistics of port connections is more interesting. Below is a list of IP addresses that connect to the largest number of ports.
There are two IP in the Internet send packets to 65536 ports. This is the total number of possible TCP ports, right? So the two are very suspicious.
10.10.11.15 65536 10.9.81.5 65536 172.30.0.4 64183 172.20.0.4 59254 172.20.0.15 57486 172.10.0.6 40971 172.10.0.3 17094 172.10.0.4 9967 10.7.5.5 4418 172.20.0.3 783 10.0.0.13 724 10.0.0.8 705 10.0.0.12 699 10.0.0.11 678 10.0.0.7 675 10.0.0.6 652 10.0.0.14 636
Yes! This is very good! We can think on how to further investigate. Any ideas?
I think further investigate their connection to the internal machines should be necessary.
Yes. This is one task.
Other possible tasks are:
Now we know that there is some port scans, we need to know whether they are related to the true story. For example, it is possible that it is just a port scan from some bad kids.
subnet1, is there any port scan
2.1 which workstation has connected with many (say more than 10) hosts?
2.2 which workstations have sent large payload?
2.3 how many ports does each server connect?