My next class:

Attributing Attacks

Published: 2007-06-01. Last Updated: 2007-06-01 17:44:43 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Our  reader Dean sent us a screen shot from wireshark, showing a scan for VNC servers from 213.176.81.229 (mail.tehran.agri-jahad.ir). Indeed, this system appears to be a mail server in Iran

220 mail.tehran.agri-jahad.ir Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at  Fri, 1 Jun 2007 20:54:41 +0330

With all the news about "Russia attacking Estonia", this nicely illustrates the problem in attributing attacks like this. Is the mail server in Iran compromised (my guess)? Who is launching the scan? Is it a random script kiddie, some bot herder, some government? If it is a government, which one?

The packets look the same and there is no way to tell the motivation. Only once your system is compromised, you may be able to figure out why they did it (and I rather skip that step). Honeypots can help, but a more sophisticated attacker would likely realized whats going on. On the other hand, a sophisticated attacker may actually use some simple "script kiddie" tools first, in order to hide out in the noise of bot probes.

One way to figure out what's going on is to check how many others are being "hit" by this same IP address. DShield is your tool to do just that. See http://www.dshield.org/ipinfo.html?ip=213.176.81.229 and you will find a few thousand other targets got hit by the same IP address. And port 5900 (VNC) appears to be the main attack method used!

(NB: rather then wireshark screen shots, we prefer raw packet captures)
Keywords:
0 comment(s)
My next class:

Comments


Diary Archives