Showing posts with label Log Analysis. Show all posts
Showing posts with label Log Analysis. Show all posts

Sunday, 15 July 2012

June ADSL Log Analysis

Analysis of the logs files from my ADSL router for June, there was a large number of UDP scans which emanated from China.




The detected events broke down country wise as follows


Country Number of events Number of unique IP
China 317 22
Turkey 72 72
Azerbaijan 2 2
South Africa 1 1
Cyprus 1 1

The top three IP addresses for the origination of the probes where

48  events - 220.243.27.nnn (eTrunk Network Telecomunication Ltd., Guangzhou, China)
43  events - 222.125.37.nnn (ShenZhen Topway Video Communication Co. Ltd. GuangDong, China)
36  events - 211.141.176.nnn (China Mobile Communications Corporation, Anhui, China)
Posted by at No comments:
Labels:

Monday, 4 June 2012

May ADSL Log Analysis

Analysis of the logs files from my ADSL router for May, there was a large peak of UDP scans which emanated from China.

Daily Frequency of scans

Peak number of events was on the 30th May when 545 events were logged, other dates that above average number of events were detected were the 14th and 21st of May. With a slightly elevated rate of events on the 24th May.

The detected events broke down country wise as follows

CountryNumber of eventsNumber of unique IP
China78344
Turkey1919
India11
Pakistan11

The events on the 24th were TCP probes all on port 23 from IP addresses registered in Turkey.

The events on the 30th were UDP probes on port 58299, the 21st were UDP probes on port 38029, and the 14th were UDP probes on port 58281

The top three IP addresses for the origination of the probes where

288 events - 59.66.241.nnn (Zijing Campus 2nd Phase, Tsinghua University)
128 events - 218.109.70.nnn (WASU-BB)
122 events - 113.117.150.nnn (CHINANET Guangdong province network)
Posted by at No comments:
Labels:

Monday, 2 April 2012

Port 12200

As part of my analysis of the attempts on an ADSL router, I have been looking at the source port of the attempts and the majority of scans are coming from port 12200 on the scanning machines.



A quick check of the uses of the port on the interent revealed the following usage:
  • employed as one of the switch ports of a storage area network (SAN) of storage disks covered by U.S. patent 6947939, which has the capacity to facilitate communication between two switch ports in different zoning configurations.
  • utilized by Tenebril's software Ghost Surf which usually launches up by default as a wide open proxy. It has also been employed by GnucDNA, which is one of the crucial elements in building peer-to-peer (p2p) applications for Gnutella clients or networks.
  • has also been recommended as a replacement for the well known port 80 and port 8080 when they are blocked by the Internet Service Provider or when they are rejected by the linksys router.
One common footnote on a number of websites was that port 12200 has been associated with scanners looking for open proxies to take over maliciously, well that ties up nicely with the port being used for open proxies. If I can find the necessary spare equipment I being to put an ADSL modem in front of a firewall and router and fit an ethernet tap to capture the packets from the attempts for a more detailed analysis.
Posted by at No comments:
Labels:

Sunday, 1 April 2012

Analysis of logfiles (March)

Last month's analysis of my ADSL Router's logfiles suspect port scans

Month
No Attacks
DOS
Port Scans
Unique IP
Unique Countries
Mar 2012
156
129
27
77
5

Country Attacks
Turkey 73
China 40
UK 29
Germany 13
Russia 1


Breakdown of attempts

27 attempts from a single UK address
27 attempts from a single Chinese address
13 attempts from another Chinese address
13 attempts from a German address
2 attempts from another UK address
2 attempts from a Turkish address
The rest where single attempts from unique IP address mainly Turkish

Posted by at No comments:
Labels:

Sunday, 11 March 2012

Analysis of Logfiles (Jan & Feb 2012)

After the probes early this month on my ADSL router, I looked back through the Jan and Feb log files for records of probes and analysed the results. The router records DOS and Port Scans, with the originating IP address. For the simple analysis I looked at the total number of attacks, looked at whether there were DOS or Port Scan. With the IP addresses I identified the number of unique IP and then looked at the country of issuing of the IP address registration.
 
Month
No Attacks
DOS
Port Scans
Unique IP
Unique Countries
Feb 2012
76
74
2
60
9
Jan 2012
96
94
2
86
6

Feb 2012

Country
 Attacks
Turkey
 52
Ukraine
 2
France
 1
China
 1
Egypt
 1
South Africa
 1
UK
 1
Netherlands
 1

Jan 2012

Country
 Attacks
Turkey
 79
South Africa
 3
Hong Kong
 1
Switzerland
 1
USA
 1
Thailand
 1

This exercise will be repeated every month, with the details being added to the tables. I will also create a page with the results on the blog.


Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)