Darknet can't lie - most of the attacks, scans and other interesting things


indeed come from behind the Great Firewall of China. wordpress_id: 1230 category: Linux tags: awk weekly


Working for ISP entitles me to various perks, one of them is unlimited connection to the Internet with wealth of unallocated yet IP addresses. So to use it somehow I set up a little Darknet (details what it means can be found here Darknet Project ) Most malware comes from Chinaand gather some statistics. First the volume of unsolicited and malicious traffic is staggering . Mostly it is traffic to Windows sharing - port 445 , then brute force - port 22, then strange ports used by new malware in the wild .Second, the interesting information pretty much stops here - as nothing listens on my side of the Darknet I don't get more insight. As comes from this I am working on the next stage of the Darknet - HoneyNet. Once done, I'll post here the findings. To give you a glimpse of the Ips and ports involved in probes here is the non-sanitized sorted list of the alien IPs , destination ports, protocols and number of packets seen.This is the day's worth statistics Bad guys and gals IPs
To get this list from Tcpdump capture I used one-liner: [root@darkstar]# tshark -n -r honey_bunny.cap42 | awk ' $3~/[0-9]+./ {print $3,$6,$9}' | sort -n -k1,1 | uniq -c > Darknet_probing_IPs.txt