Tuesday, April 23, 2013

Firewall analysis

Another day, another anomaly to investigate.  Ah, networking.

Today we have a screenshot from our Palo Alto Networks firewall device.  This is what keeps you from running BitTorrent on campus.  This is also what protects you from a good chunk of malware out there.  And you might be surprised how much malware is out there.

And you might be surprised how much malware is out there.

You should click on that to blow it up.  What we have is a search for the number of sessions going to an external IP address in the last 24 hours.  Normally, that's not a huge deal.  DNS requests are amongst our biggest category of sessions, for example, and much larger than the numbers in this screenshot.  What's interesting is that lots of sessions are being opened by just a few computers, and they are all connecting to a single server.



Running a WHOIS at the terminal, we can see that it's owned by the defunct corpse of PSINet, an early internet privatization pioneer.  13 years ago, PSINet was a known spam host.  Today, it's a known crawler/scanner.  Now, it's worth mentioning that that is not what we're seeing here.  Here, we have multiple hosts reaching out, with unidentifiable traffic signatures, to a known crawler/scanner.

Huh.  What does that sound like to you?  It sounds to me like a botnet reaching out to spam relays and/or command and control servers.  Gotcha!!!

The next step is to identify who is associated with each machine.  This is actually rather difficult at the moment, though we're hoping to fix that next year with new processes, documentation, and the Meraki gear in hand.  For now though, we can lookup DHCP requests.

The top connector's DHCP requests.  We can tell from the consistent pattern of requests every 4 hours that this machine is practically used as a server.  We can tell from his MAC address that he has a computer made by Belkin.  Wait.  The hostname is Belkin Router.

The trail goes dead.  Technically, we could figure out what port that's associated with on our switch, track down the room number, find out who lives there (or at least contact info) from Residential Life, and reach out to have a discussion about who's using their WiFi and maybe how to secure it.  Or we can admit that there are far more pressing things to do with our time, unless it turns out to be a faculty machine (the University owns faculty laptops, so it's easier to tell the user it needs to be cleaned).

Or we can start blocking that IP in both directions on the firewall.  Thoughts?
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)