June 22, 2005

DShield - A community approach to intrusion detection

Author: Paul Virijevich

Analyzing firewall logs is key to understanding the threats your servers face. Knowing what the bad guys are looking for is the first step in assessing how vulnerable your servers are. Both open source and commercial firewalls make log information available to firewall administrator. But taking risk assessment a step further, what if there were a way to apply the principles that make open source software successful to firewall log analysis? A way to help yourself and others at the same time? The DShield project seeks to do just that.

DShield bills itself as a distributed intrusion detection system. It works by collecting statistics from firewalls all over the world. Just how many reports does DShield receive? Currently its Web site lists about 24 million records each day, with more than 840 million recorded last month.

DShield can collect this enormous amount of data because of the number of clients and third-party add-ons that work with it. I counted clients for more than 60 hardware and software firewalls -- everything from Linux-based iptables firewalls to Windows XP Internet Connection Firewall. The information they collect provides global insight into the who, what, and where of suspicious network activity.

Who, what, and where

If you want to know who is causing trouble on the Internet, check out DShield's Top 10 Most Wanted report. It provides statistics on the top 10 worldwide attackers, including their IP address, host name, number of entries implicating the attacker, and number of hosts attacked. DShield also provides contact information to alert their ISP to the problem. You can also choose to "fight back" by allowing DShield to forward your log files your attacker's ISP.

The "are your cracked?" section highlights another benefit of DShield. With it, you can check to make sure that you are not in the database of known attackers. If your IP address comes up, you've got a problem on your hands, but at least you will know what your machine has been up to. DShield will report what ports you have been attacking.

DShield also maintains a blocklist of the most egregious offending networks. A Perl script to retrieve the list and an iptables script for Linux users to implement it are provided. However, implementing a blocklist like this is probably not a good idea, since blocking a network cuts off all Internet connectivity with it. A better approach is to simply note which ISPs have the most trouble with their users.

So just what are the bad guys up to? With DShield, you can see the Top 10 most targeted ports over the last 30 days. From the Top 10 page, clicking on any of the ports brings up a number of details about the port and the attacks against it. You can see a graph showing when the attacks over the past 30 days occurred, an explanation of what the port is used for, a list of known vulnerabilities for the port, and a daily breakdown of the number of attacks and attackers for the port. If your servers offer services that use these ports, it's a good idea to make sure that their firewalls and software are up-to-date.

DShield also gives an overview of where the attacks are coming from on a per-continent basis. A map on the main page shows a pie chart over every continent that lists the six most frequently targeted ports for that continent. Each pie shows the percentage of attacks per port. This information helps make it clear just how global network attacks are. Without DShield, I never would have known the majority of attacks targeting ICQ come from Asia. If just looking at a static map is not exciting enough for you, there is also "DShield, the Movie," which plays an animation showing the pie charts in action over the last four days.

I was surprised to find a couple of features on the DShield site not working. The Web interface for submitting firewall logs brings up an empty page with no forms or instructions on how to submit your logs. Clicking on the pie charts for a continent should allow you to view detailed specifics on the attacks reported from that continent, but this feature also did not work. These errors were persistent over the course of a week.

I tried to find out who's behind DShield to see if anyone is benefiting financially from the information you submit. From digging around on the Web, it is hard to tell. DShield is a servicemark of Euclidian Consulting. Euclidian's site is pretty sparse, but it claims to specialize in database-driven Web sites and lists DShield as one of its examples. The site's news release section frequently cites Johannes Ullrich, CTO of the SANS Internet Storm Center (ISC). DShield's site doesn't mention that it collects information for the ISC, but it does point out it is sponsored by the ISC's parent, the SANS Institute. The ISC's site makes it clear that DShield is used to collect their information. Since this seems to be the primary purpose of Dshield, it is puzzling that you have to visit the ISC's site to find this out.

The information DShield collects is made available to the public at no charge. However, the parent companies appear to benefit from the project by using it to showcase their expertise in the database and security fields. I understand that someone needs to pay for the infrastructure. It would just be nice if it was made clear who was paying for it and why.

Despite the obscurity in giving credit where it's due, DShield is a project that anyone running a firewall should check out. Submitting your logs to DShield is a good way to help make the Internet a little safer. Staying up-to-date on the latest threats is the only way to stay ahead of those who would do your network harm. The fact that you can use DShield's data to help protect your network should be more than enough incentive. The more information DShield collects, the more secure we all will be.


  • Security
Click Here!