[cumbria_lug] Windows Network Noise on the Net.

[Ian Linwood]

Hello Steve,

Sunday, December 19, 2004, 9:38:51 PM, you wrote:


S> Of the 850 or so direct hits at my external IP address in the last 3 1/2
S> days, 84% seems to be related to MS Windows Netbios and Message Service
S> (Spam) (ports 135,137,139,445,1026,1027).  The other 16% was mostly
S> viruses and general port scans for machines compromised by various 
S> hacking tools.

Yep. This is throttling the Net.
You'll probably find that the Netbios, and DS stuff (135-139 & 445) are
originating from other users using the same ISP. Most providers allow this
kind of crap across their internal routers, but block it on their
border routers.  Some not so good ISPs let everything in/out :-( and
don't give a damn.

S> Most of the the addresses for hacks and viruses seem to originate from
S> China, with Russia a close second and noise from the US and Sweden!

How are you checking this. Do NOT rely on reverse DNS to resolve
domain names. The only way to check is to track back the IP to the
relevant ISP.

S> Most of the NetBios stuff seems to be from local machines in the same
S> 'local' net as myself, although one machine was responsible for 50 hits
S> (of 295 on port 135) - I was actually quite shocked after a fit of 
S> madness I put the address in Windows Exploder (as if attaching to a file
S> share) and up pops a login dialog for what would appear to be a 
S> completely unprotected machine on broadband - the mind boggles.

As you have discovered, there are a lot of clueless people out there.
I wonder how virus's spread ;-(

S> I'd be very curious if anyone else has seen any similar patterns, or had
S>   done/found anything similar.

Been a problem for years. Just don't add to it and make sure your
outbound filtering is as robust as your inbound. It can be a PITA, but
the less you let out, the less others can tell about your network. I
don't want to throw stones, but are you sure your LAN isn't letting
this kind of stuff out?

S> Anyway, on to the big question...  has anyone come across any tools for
S> analysing Syslog logs to get information and stats out of them. Most of
S> the entries I'm interested are of the form:

S> Dec 19 04:48:01 z.z.z.z router1: src="x.x.x.x:port" dst="y.y.y.y:port"
S> msg="Firewall default policy: UDP (L to W)" note="ACCESS BLOCK"

S> I've got syslog setup to collect all the information from the router in
S> a separate file, so extracting from the main system logs isn't a problem.

Good. The amount of people who log straight to /etc/syslog or /etc/
messages is stunning. A DDOS/crash waiting to happen.

S> I'm wanting to extract all the port information, as well as source
S> addresses for automated lookup, so I can see build up a picture of 
S> what's happening outside.  Stats on ports, etc, as well as where all
S> this stuff is coming from.

S> I'm open to thoughts and suggestions.

I'm afraid most ISPs are very poor at acting on abuse reports (there
are some exceptions though). All I can suggest is to be aware of the
threats and take necessary actions to protect your network.

Depending on the throughput of your network link, I would suggest a
Linux (or openbsd) bridging firewall, between your router and your network, this
would allow you to do finer filtering and logging. The other advantage
is to allow you to use FOSS tools to log/analyse the data, both
historically and in real time.

ie.  big BAD world<-->router<-->filtering bridge<-->your lovely safe LAN

I don't know what kind of router you have, or link type, so it is
difficult to advise.  Smaller routers are put under a tremendous load
when asked to do firewall work. So an attack can lead to a DDOS, as
the CPU on the router gets hammered. I let routers route, and employ a
dedicated firewall. I would also set up a http proxy. This offers a little
more protection to users on the LAN and has the benefit of caching
frequently accessed pages. The proxy box could also do DNS caching.

-- 
Best regards,
 Ian