The geoiplookup utility is very helpful in assessing the country where the SIPs (Source Internet Protocol Address) are from. We might be able to say 'hackers' instead of SIPs, if it were ultimately possible to deduce from a SIP the originators of an attack on any given Firewall. And that is important to remember: IPs can be spoofed, the country of origin tells you nothing about the operator themselves, criminals and nation-states terrorists can be leased. So withhold judgement based on IP!!
However,if I log to a file a tcpdump something like this:
/usr/local/sbin/tcpdump -s 0 -i xl0 -n -tt 'port not(ssh or domain or whois or http or https or syslog or ntp or 137 or 139)' and 'not(broadcast or icmp or igmp or arp)'
My dummy/honeypot host receives about 100 or so entries per day from foreign IPs that look like this:
1241804920.098123 IP 85.249.160.55.1225 > 192.168.0.12.38507: UDP, length 20
1241805774.527866 IP 201.67.52.249.59649 > 192.168.0.12.12712: UDP, length 21
1241806316.686063 IP 218.6.12.230.6000 > 192.168.0.12.2967: Flags [S], seq 114163712, win 16384, length 0
1241806357.627835 IP 61.153.26.60.1517 > 192.168.0.12.1434: UDP, length 376
1241807555.257870 IP 91.150.223.226.1519 > 192.168.0.12.38507: UDP, length 63
1241813077.431641 IP 98.247.212.4.1980 > 192.168.0.12.23: Flags [SEW], seq 1693462630, win 5840, options [mss 1460,sackOK,TS val 117815450 ecr 0,nop,wscale 0], length 0
...
The syslog entries that my Netgear FVS318 firewall is forwarding to my OpenBSD dummy/honeypot host contain similar attacks but many more legitimate connection attempts like this:
May 9 09:06:45 192.168.0.1 rferris Blocked Sites Log[46161]:portforward forwarded , SIP:216.35.67.135: 80, DIP:98.247.182.78: 19899,
May 9 09:07:06 192.168.0.1 rferris Blocked Sites Log[46166]:portforward forwarded , SIP:68.87.69.146: 53, DIP:98.247.182.78: 17337,
May 9 09:07:06 192.168.0.1 rferris Blocked Sites Log[46169]:portforward forwarded , SIP:76.96.30.119: 110, DIP:98.247.182.78: 17681,
I can get an excellent approximation of those IPs whose port attempts simply can be easily counted as part of any possibly normal connectivity by subtracting (as above in the tcpdump filters) those SIP ports that are not mail, whois, dns, http, ntp, etc. :
grep -f file1 syslog | grep -v -f file2 | awk -F":" '{print $5}' | sort | uniq >> out.txt
where file1 is:
Hacker
Blocked
and file2 is:
25,
43,
53,
80,
110,
123,
587,
As the astute reader will point, this technique completely neglects hacking attacks from legitimate ports! And also much legitimate traffic comes over port 443 (ssl) which I have excluded here.(Of course, that is what an IDS is for... Much more on that later...) The next step in my investigation is lookup the country of origin for the IP. Batching whois queries are frowned upon. GeoIPLookup fills this need:
for i in `cat out.txt`; do echo $i:`geoiplookup $i`;done;
10.13.3.61:GeoIP Country Edition: IP Address not found
113.56.251.166:GeoIP Country Edition: CN, China
115.132.83.188:GeoIP Country Edition: MY, Malaysia
116.3.98.197:GeoIP Country Edition: CN, China
116.54.196.108:GeoIP Country Edition: CN, China
117.127.93.18:GeoIP Country Edition: CN, China
118.100.85.190:GeoIP Country Edition: MY, Malaysia
118.22.208.254:GeoIP Country Edition: JP, Japan
....
Hacking is an international activity. It is nice to be silently stalked by so many foreign countries!
for i in `cat out.txt`; do geoiplookup $i >> geoiplookup.txt ;done;
cat geoiplookup.txt | sort | uniq -c | sort -r
55 GeoIP Country Edition: CN, China
20 GeoIP Country Edition: US, United States
10 GeoIP Country Edition: RU, Russian Federation
10 GeoIP Country Edition: BR, Brazil
8 GeoIP Country Edition: UA, Ukraine
5 GeoIP Country Edition: VN, Vietnam
4 GeoIP Country Edition: MY, Malaysia
4 GeoIP Country Edition: KR, Korea, Republic of
4 GeoIP Country Edition: IT, Italy
3 GeoIP Country Edition: FR, France
2 GeoIP Country Edition: TR, Turkey
2 GeoIP Country Edition: JP, Japan
2 GeoIP Country Edition: GB, United Kingdom
2 GeoIP Country Edition: DE, Germany
2 GeoIP Country Edition: CA, Canada
1 GeoIP Country Edition: ZA, South Africa
1 GeoIP Country Edition: VE, Venezuela
1 GeoIP Country Edition: UY, Uruguay
1 GeoIP Country Edition: TW, Taiwan
1 GeoIP Country Edition: TH, Thailand
1 GeoIP Country Edition: SI, Slovenia
1 GeoIP Country Edition: SE, Sweden
1 GeoIP Country Edition: QA, Qatar
1 GeoIP Country Edition: PL, Poland
1 GeoIP Country Edition: PH, Philippines
1 GeoIP Country Edition: PA, Panama
1 GeoIP Country Edition: NZ, New Zealand
1 GeoIP Country Edition: NO, Norway
1 GeoIP Country Edition: MX, Mexico
1 GeoIP Country Edition: MD, Moldova, Republic of
1 GeoIP Country Edition: JM, Jamaica
1 GeoIP Country Edition: IP Address not found
1 GeoIP Country Edition: IN, India
1 GeoIP Country Edition: HK, Hong Kong
1 GeoIP Country Edition: FI, Finland
1 GeoIP Country Edition: EG, Egypt
1 GeoIP Country Edition: CO, Colombia
What of "IP Address not found"!? (Another question to resolve..) However, let us suppose we are just interested the U.S. connections. Keep in mind some of these are legitimate ssl (443) connections.
# for i in `cat out.txt`; do echo $i:` geoiplookup $i` | grep "United States";done;
152.26.20.72:GeoIP Country Edition: US, United States
168.75.65.98:GeoIP Country Edition: US, United States
173.1.171.82:GeoIP Country Edition: US, United States
173.69.171.116:GeoIP Country Edition: US, United States
173.8.113.195:GeoIP Country Edition: US, United States
205.214.57.202:GeoIP Country Edition: US, United States
208.111.159.155:GeoIP Country Edition: US, United States
209.85.201.125:GeoIP Country Edition: US, United States
63.226.235.106:GeoIP Country Edition: US, United States
63.231.190.174:GeoIP Country Edition: US, United States
64.251.8.230:GeoIP Country Edition: US, United States
66.35.46.195:GeoIP Country Edition: US, United States
68.142.94.151:GeoIP Country Edition: US, United States
68.37.225.206:GeoIP Country Edition: US, United States
72.42.151.135:GeoIP Country Edition: US, United States
74.63.193.230:GeoIP Country Edition: US, United States
98.220.41.92:GeoIP Country Edition: US, United States
98.247.182.78:GeoIP Country Edition: US, United States
98.247.212.4:GeoIP Country Edition: US, United States
99.152.215.137:GeoIP Country Edition: US, United States
It is useful to see how much information can be gained without packet inspection. next up...tracking SIPs to their networks...
No comments:
Post a Comment