Tweet
...are ISP's doing some filtering in the background that they're not making users aware of?
A few years ago when I first started working with Snort whenever I'd deploy a box, it would be no time that I'd be seeing all kinds of attacks from all over the world. Within minutes you'd see some of the nastiest stuff possible come across.
I haven't had a Snort box running for quite some time because of some changes to the infrastructure here, but recently built a new remote sensor out of an Alix2d3 with FreeBSD installed on it. My goal was to get a working remote sensor that could run Snort and Ntop and report back to a central server for data collection. I'll be deploying up to 8 of these throughout our WAN.
So my first one goes in yesterday after spending the weekend testing it on the local LAN to make sure it is actually detecting attacks. It appears to be, so I take it out in the wild to see what it can do. The Alix2d3 has 3 LAN ports, so the way it's configured is two of the ports are configured as a Transparent Bridge with no IP bound to the bridge. The third LAN is connected to the private side of the router to send it's information back to the collector.
It's now been running for 24 straight hours, with nothing between it and the wilds of what used to be the internet. In those 24 hours, it has detected exactly 17 attacks, 15 of which were generated by myself and another person on purpose. The other 2 came from an unknown source.
So, here's the question. Has level of broad attacks and scans across the internet decreased or are ISP's doing some filtering at a higher level? My plan is to move this device to another location that's on a different ISP and see if more attacks are detected. Unfortunately, I only have accounts on two of the ISP's in the area, but it would be interesting to see what kind of attacks would come from the other big player in this area.
What do you guys think is going on?
A few years ago when I first started working with Snort whenever I'd deploy a box, it would be no time that I'd be seeing all kinds of attacks from all over the world. Within minutes you'd see some of the nastiest stuff possible come across.
I haven't had a Snort box running for quite some time because of some changes to the infrastructure here, but recently built a new remote sensor out of an Alix2d3 with FreeBSD installed on it. My goal was to get a working remote sensor that could run Snort and Ntop and report back to a central server for data collection. I'll be deploying up to 8 of these throughout our WAN.
So my first one goes in yesterday after spending the weekend testing it on the local LAN to make sure it is actually detecting attacks. It appears to be, so I take it out in the wild to see what it can do. The Alix2d3 has 3 LAN ports, so the way it's configured is two of the ports are configured as a Transparent Bridge with no IP bound to the bridge. The third LAN is connected to the private side of the router to send it's information back to the collector.
It's now been running for 24 straight hours, with nothing between it and the wilds of what used to be the internet. In those 24 hours, it has detected exactly 17 attacks, 15 of which were generated by myself and another person on purpose. The other 2 came from an unknown source.
So, here's the question. Has level of broad attacks and scans across the internet decreased or are ISP's doing some filtering at a higher level? My plan is to move this device to another location that's on a different ISP and see if more attacks are detected. Unfortunately, I only have accounts on two of the ISP's in the area, but it would be interesting to see what kind of attacks would come from the other big player in this area.
What do you guys think is going on?
Comment