Comments on: Tracing the Origin of Malicious Activity http://blog.emagined.com/2009/03/09/tracing-the-origin-of-malicious-activity/ Articles by Network Security Consultants Tue, 26 Jul 2011 18:15:03 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Stephen Smoogen http://blog.emagined.com/2009/03/09/tracing-the-origin-of-malicious-activity/comment-page-1/#comment-83 Stephen Smoogen Mon, 09 Mar 2009 21:07:54 +0000 http://blog.emagined.com/?p=361#comment-83 I have to agree. When dealing with emails to a security list we would routinely get 'your site is hacking us' emails from people on the Internet using dshield etc to look at their logs. They all had high confidence this was true because they knew SANS was behind dshield (which isn't exactly true, but in their mind it was.) The main problem was that the packets could not have come from us because they were usually zones behind physical separation or dead space on our network. Our networks had sensors that captured all out-going traffic and we could never correlate the reports with actual traffic. [This was usually replied to that our sensors were of course not as good as theirs since they of course saw the traffic.] Later we did some followup because our replies were followed up with emails to our 'masters' who wanted a full audit to show what was happening. The problems usually turned up with open BGP or other routers that someone took over and advertised for a subset of our space.. and then use for filesharing, UDP-1025 SPAM popups, etc. Not to say we weren't without problems.. just not the ones dshield users were finding :) I have to agree. When dealing with emails to a security list we would routinely get ‘your site is hacking us’ emails from people on the Internet using dshield etc to look at their logs. They all had high confidence this was true because they knew SANS was behind dshield (which isn’t exactly true, but in their mind it was.)

The main problem was that the packets could not have come from us because they were usually zones behind physical separation or dead space on our network. Our networks had sensors that captured all out-going traffic and we could never correlate the reports with actual traffic. [This was usually replied to that our sensors were of course not as good as theirs since they of course saw the traffic.]

Later we did some followup because our replies were followed up with emails to our ‘masters’ who wanted a full audit to show what was happening. The problems usually turned up with open BGP or other routers that someone took over and advertised for a subset of our space.. and then use for filesharing, UDP-1025 SPAM popups, etc.

Not to say we weren’t without problems.. just not the ones dshield users were finding :)

]]>