Same firewall data, by hour and destination port
Loading...
Loading...
6:37
Look at the botnets!by arkowitz2,951 views- 2:31
Firewall Log Data in 3D by Green Phosphorby arkowitz5,355 views
- 7:58
Basic Introduction to Glasshouseby arkowitz1,352 views
- 4:36
What are these stripes in the firewall log data?by arkowitz104,285 views
- 0:31
Green Phosphor Realtime Graphingby arkowitz1,409 views
- 6:51
First Glasshouse Plugin!by arkowitz459 views
- 2:52
Outbound packets from the firewall to non-USby arkowitz172 views
- 3:24
Visualization of Bayesian Probabilities of HHA Report Databy arkowitz300 views
- 5:13
GreenHouse Gas Emissions in 3D by Green Phosphor LLCby arkowitz1,294 views
- 1:56
What is a Firewall?by ciscovid32,277 views
- 5:01
Hack netbios (port 139...)by david15719958,704 views
- 4:11
Green Phosphor Fantasy Football Tool - Create Graphby edthehead07116 views
- 2:30
Firewall working and functioningby arunmahankali2,881 views
- 1:51
Barracuda Web Application Firewallby netstandard855 views
- 3:25
Axiomtek's Cost-effective 1U Six-port Network Appliance- NA-200by AB55K243 views
- 1:50
How to port VB 6.0 & WinForms applications to the Webby webgui21,140 views
- 5:18
Data Flow Through a Computerby fradale1,134 views
- 6:58
How to: Port Forwardby darkprince64415,395 views
- 0:49
Maya 3D Animation - Virus Invasionby YanDaMan26324,558 views
- 2:40
PIC16F628A based PC controlled digital clockby alphap815,598 views
@lockhoodlum hey thanks for the info! Yes, most people don't egress filter dns out of their network. Unless you mean as a listening service rather then a reverse shell?
ethosflux 2 years ago
@trepidity23
Second. Are the IP's that are hiting each port in sequence varying, in other words is it the same IP, or different ones. If it is the same, that firewall may need some security beefing, it should recognize repeated requests like that, then temp ban or block that IP. If it is varying the person knows what they are doing better. That would help determine how good they are too. Either way this person is feeling out your network for a way in, not good.
trepidity23 2 years ago
@ethosflux
Def. Arkowitz, are they using the standard ports for most common protocals like DNS, NetBIOS, etc? Double check that before you assume, if they were doing things correctly they should be switching things up. But you the single packet on the higher port numbers was scanning for that(unusual port usage), just simple pings for responses. Then when they are getting a response signaling there is a daemon listening on that port they are attempting to authenticate or learn more on how to.
trepidity23 2 years ago
Dns tunneling is, especially, popular in the Chinese territory, in order to bypass the locally applied censorship & government monitoring... actually, every way to disguise & bypass is very popular in china :)
LockHoodlum 2 years ago
I've seen plenty of backdoors tunneling traffic via DNS. It's an old, and not so sophisticated method of bypassing IPS/IDS systems. Or proxied/firewalled networks. As UDP53 remains open in more than 98% of all times. If you want a small demo of how to tunnel traffic over 53, query on dns2tcp. there's also a way to tunnel traffic using ICMP...
LockHoodlum 2 years ago 2
@Sarnuial that seems like a good call, it does seem like a ddos attack considering they all seem to be coordinated and start at the same time. For the record 53 is dns, 137 is netbios. Looks like someone port scanned this network and then tried to dos it. Unsophisticated attack methodology but they had access to a botnet and that makes someone dangerous regardless.
ethosflux 2 years ago 2
Port 53 is usually DNS.
Looks to me like an attempted ping flood. That would explain the non-port-based ICMP packets, and, as someone else commented on the other video, the countries that the traffic seems to be coming from have high Windows piracy rates, which would imply botnets, making this a DDoS.
Still, I know fairly little about all this and could be miles off. I'll be interested to see what the final consensus is!
Sarnuial 2 years ago