Les scans

Guten Tag,

wir sind derzeit dabei, die Erkennung von Scans von unserem Netz aus und zu unserem Netz erheblich zu verbessern. Wir überarbeiten im Moment den ersten Teil davon: die Trafficanalyse. Wir suchen in den Logs unserer Router die Pakete die auf Scans, Angriffe oder das Verhalten gehackter Server schliessen lassen. Der zweite Teil folgt direkt danach: die Erkennung durch Sonden in unserem Netzwerk. Wir werden das System verstärken indem wir die Anzahl der Sonden und die Suchtiefe nach Scans und Angriffen erhöhen.

Derzeit registrieren wir mit dem aktuellen System etwa 200 bis 250 Scans pro Tag. Wir werden wohl etwa 300 bis 400 neue Scans mit Fertigstellung des ersten Teils entdecken können und nochmal 400 bis 500 mehr mit dem zweiten Teil.

Hier ein Beispiel von dem was wir mit der neuen Software die die Logs der Router anschaut entdecken. Ab Morgen oder ab Montag werden diese IPs auf unseren Routern automatisch für 24 Stunden geblockt. Wenn ein Scan von bei OVH beherbergten Servern ausgeht, dann wird der Server automatisch ins Rescue versetzt (so wie derzeit) und eine E-Mail wird an den Administrator des Server gesandt (so wie derzeit).

Mit freundlichen Grüssen

Octave

attack_susp_TCP from: [ 213.58.61.116 ]
attack_susp_TCP from: [ 77.111.133.110 | ip-133-110-userpool.... ]
attack_susp_TCP from: [ 77.111.148.125 | ip-148-125-userpool.... ]
attack_susp_TCP from: [ 77.111.152.214 | ip-152-214-userpool.... ]
attack_susp_TCP from: [ 87.168.104.135 | p57A86887.dip.t-dial... ]
attack_susp_TCP from: [ 87.98.15.70 | 87-98-15-70.tln.norb... ]
attack_susp_TCP from: [ 91.121.99.210 | pptp1.linkideo.com ]
attack_susp_TCP from: [ 91.22.70.125 | p5B16467D.dip.t-dial... ]
attack_susp_TCP from: [ 91.94.74.201 | public-gprs51763.cen... ]
scan_net_TCP from: [ 193.19.165.62 | 193.19.165.62.osk.en... ]
scan_net_TCP from: [ 194.105.102.247 | 194.105.102.247.stat... ]
scan_net_TCP from: [ 194.105.96.128 | 194.105.96.128.stati... ]
scan_net_TCP from: [ 194.44.183.5 | lankeeper.donntu.edu.ua ]
scan_net_TCP from: [ 195.218.214.135 | adsl-pppoe-0643.comc... ]
scan_net_TCP from: [ 195.93.160.5 | ns1.pl.telesvit.com.ua ]
scan_net_TCP from: [ 213.186.39.23 | ns3551.ovh.net ]
scan_net_TCP from: [ 213.58.61.116 ]
scan_net_TCP from: [ 217.6.148.246 | virtual-3.solution-s... ]
scan_net_TCP from: [ 69.80.249.139 | hosted.by.alphared.com ]
scan_net_TCP from: [ 75.135.156.238 | 75-135-156-238.dhcp.... ]
scan_net_TCP from: [ 77.111.133.110 | ip-133-110-userpool.... ]
scan_net_TCP from: [ 77.111.148.125 | ip-148-125-userpool.... ]
scan_net_TCP from: [ 77.111.152.214 | ip-152-214-userpool.... ]
scan_net_TCP from: [ 77.111.154.227 | ip-154-227-userpool.... ]
scan_net_TCP from: [ 77.111.79.19 | 4d6f4f13.adsl.entern... ]
scan_net_TCP from: [ 87.168.104.135 | p57A86887.dip.t-dial... ]
scan_net_TCP from: [ 87.205.218.144 | 87-205-218-144.adsl.... ]
scan_net_TCP from: [ 87.226.100.4 ]
scan_net_TCP from: [ 87.98.15.70 | 87-98-15-70.tln.norb... ]
scan_net_TCP from: [ 89.19.4.74 | 89-19-4-74.cizgibilg... ]
scan_net_TCP from: [ 91.0.235.50 | p5B00EB32.dip.t-dial... ]
scan_net_TCP from: [ 91.0.241.214 | p5B00F1D6.dip.t-dial... ]
scan_net_TCP from: [ 91.11.58.173 | p5B0B3AAD.dip.t-dial... ]
scan_net_TCP from: [ 91.121.149.197 | ks358409.kimsufi.com ]
scan_net_TCP from: [ 91.121.150.125 | ks357982.kimsufi.com ]
scan_net_TCP from: [ 91.121.28.178 | ns25083.ovh.net ]
scan_net_TCP from: [ 91.121.7.211 | tor1.humanistische-u... ]
scan_net_TCP from: [ 91.121.74.162 | ns25715.ovh.net ]
scan_net_TCP from: [ 91.121.91.78 | ns28088.ovh.net ]
scan_net_TCP from: [ 91.121.99.210 | pptp1.linkideo.com ]
scan_net_TCP from: [ 91.1.228.250 | p5B01E4FA.dip.t-dial... ]
scan_net_TCP from: [ 91.12.95.218 | p5B0C5FDA.dip.t-dial... ]
scan_net_TCP from: [ 91.134.6.28 | 91-134-6-28.slivnica... ]
scan_net_TCP from: [ 91.13.74.131 | p5B0D4A83.dip.t-dial... ]
scan_net_TCP from: [ 91.139.170.49 ]
scan_net_TCP from: [ 91.14.77.81 | p5B0E4D51.dip.t-dial... ]
scan_net_TCP from: [ 91.149.121.110 ]
scan_net_TCP from: [ 91.164.101.212 | dyn-91-164-101-212.p... ]
scan_net_TCP from: [ 91.16.57.190 | p5B1039BE.dip.t-dial... ]
scan_net_TCP from: [ 91.17.120.181 | p5B1178B5.dip.t-dial... ]
scan_net_TCP from: [ 91.172.215.129 | dyn-91-172-215-129.p... ]
scan_net_TCP from: [ 91.18.114.138 | p5B12728A.dip.t-dial... ]
scan_net_TCP from: [ 91.18.231.16 | p5B12E710.dip.t-dial... ]
scan_net_TCP from: [ 91.193.86.126 | smrw-91-193-86-126.s... ]
scan_net_TCP from: [ 91.203.17.21 ]
scan_net_TCP from: [ 91.2.186.52 | p5B02BA34.dip.t-dial... ]
scan_net_TCP from: [ 91.22.111.23 | p5B166F17.dip.t-dial... ]
scan_net_TCP from: [ 91.22.70.125 | p5B16467D.dip.t-dial... ]
scan_net_TCP from: [ 91.3.120.192 | p5B0378C0.dip.t-dial... ]
scan_net_TCP from: [ 91.33.70.17 | p5B214611.dip.t-dial... ]
scan_net_TCP from: [ 91.34.201.202 | p5B22C9CA.dip.t-dial... ]
scan_net_TCP from: [ 91.34.230.84 | p5B22E654.dip.t-dial... ]
scan_net_TCP from: [ 91.36.106.27 | p5B246A1B.dip.t-dial... ]
scan_net_TCP from: [ 91.37.109.122 | p5B256D7A.dip.t-dial... ]
scan_net_TCP from: [ 91.37.192.45 | p5B25C02D.dip.t-dial... ]
scan_net_TCP from: [ 91.41.233.53 | p5B29E935.dip.t-dial... ]
scan_net_TCP from: [ 91.42.127.98 | p5B2A7F62.dip.t-dial... ]
scan_net_TCP from: [ 91.42.97.213 | p5B2A61D5.dip.t-dial... ]
scan_net_TCP from: [ 91.45.234.9 | p5B2DEA09.dip.t-dial... ]
scan_net_TCP from: [ 91.46.194.174 | p5B2EC2AE.dip.t-dial... ]
scan_net_TCP from: [ 91.48.234.49 | p5B30EA31.dip.t-dial... ]
scan_net_TCP from: [ 91.50.57.198 | p5B3239C6.dip.t-dial... ]
scan_net_TCP from: [ 91.5.208.232 | p5B05D0E8.dip.t-dial... ]
scan_net_TCP from: [ 91.54.90.176 | p5B365AB0.dip.t-dial... ]
scan_net_TCP from: [ 91.54.98.168 | p5B3662A8.dip.t-dial... ]
scan_net_TCP from: [ 91.57.205.249 | p5B39CDF9.dip.t-dial... ]
scan_net_TCP from: [ 91.66.248.12 ]
scan_net_TCP from: [ 91.6.9.56 | p5B060938.dip.t-dial... ]
scan_net_TCP from: [ 91.8.255.10 | p5B08FF0A.dip.t-dial... ]
scan_net_TCP from: [ 91.89.183.143 | HSI-KBW-091-089-183-... ]
scan_net_TCP from: [ 91.94.74.201 | public-gprs51763.cen... ]
udp_to_80 to: [91.121.47.247|91-121-47-247.ovh.net]
worm_sql_slammer from: [ 166.111.86.244 | tu086244.ip.tsinghua... ]
worm_sql_slammer from: [ 62.168.11.75 ]