For the Fallen Laurence Binyon (1869-1943)

The results after the latest updates are:

Windows is significant, although there has been a distinct scew towards this OS due to Conficker propagation, its still worth noting that prior to the last 7 months being imported data though December 2008 showed windows only 0.8% down on the values above, roughly evenly split between positions 2 & 3.. At the bottom end of the scale some interesting artifacts.


# Convert man pages to pdf
man2pdf()
{
m2pfile="/tmp/${1}-m2p.pdf"
if [ ! -s $m2pfile ]; then # is it there and > zero bytes 
     man -t "${1}" | ps2pdf - > "$m2pfile"
     fsize=`du -k $m2pfile | awk '{print $1}'`
     echo "Created PDF file in $m2pfile ($fsize KB)"
fi
}


It can trivially be extended to check for things like a $DISPLAY variable and pop up a viewer or request to print. The caching is admittedly crude, but works since /tmp is cleared out periodically. Output looks like:

[bvi@starburst ~]$ man2pdf ls
Created PDF file in /tmp/ls-m2p.pdf (20 KB)

12:34:56 07/08/09

1 2 3 4 5 6 7 8 9

This will never happen our lives again!

FreeBSD ports are still holding 4.90RC1 form 10 days ago, but are likely to get updated soon.

Systems like this re-enforce my feelings that FreeBSD really is rock solid.
Yes the box probably needs patching and upgrading, but for what its doing acting as an appliance that shunts packets, that's nicely firewalled down with no local users its good enough for now.


While a relatively small, conference, this year’s programme has a nice blend of topics being covered, and in many ways has refocused on being a more Academic and research centered conference, with much of the industry hype and attendees having migrated to the ITWeb Security Summit.

The Security and Networks Research Group (SNRG) will be presenting five papers:

• Investigating the effect of Genetic Algorithms on filter optimisation within fast packet classifiers. (Alastair Nottingham)
• An examination of the Generic Exploit Prevention Mechanisms on Apple’s Leopard Operating System. (Haroon Meer)
• Automated Firewall Rule Set Generation Through Passive Traffic Inspection. (Georg-Christian Pranschke)
• A Framework for the Rapid Development of Anomaly Detection Algorithms in Network Intrusion Detection Systems. (Richard Barnett)
• Management, Processing and Analysis of Cryptographic Network Protocols (Bradley Cowie) (Work in progress stream)

I’ll post appropriate links to the PDF versions once the conference is over.

Again the conference is being held at the School of Tourism & Hospitality (STH)  University of Johannesburg, which is on Bunting Road, Auckland Park, Johannesburg, which can be found here

xsltproc map2.xsl asia.xml

given the input from the Asia attack  graph produces:

30-06-2009 05:00:17 GMT,RU,Russia,15387,green
30-06-2009 05:00:17 GMT,TR,Turkey,7137,green
30-06-2009 05:00:17 GMT,CN,China,2468,green
30-06-2009 05:00:17 GMT,MY,Malaysia,4158,green
30-06-2009 05:00:17 GMT,IN,India,2631,green
30-06-2009 05:00:17 GMT,TH,Thailand,1823,green

While not the most elegant code, its gets done what I need, and is easily extensible enough to be able to  transform to other formats suitable for DB import. I’ll need to monitor data over the next couple of days to get an idea as to how the counters used are actually operating. Once that has been established I can star doing some meaningful comparisons.

The site provides rich graph and chart interfaces, which are nicely interactive.  There are definatley some ideas I want to incorporate form this into my own Network Telescope management console.  It is however worth bearing in mind that his is a Eurocentric view and is only based on their observed traffic. As such the “attacking countries” view seems to be a bit skewed.

Interoute World view 2009-06-30

After digging around with squid and wireshark, its evident that a lot of the data is actually served up as XML files, and as such can potentially be postprocessed. The Adobe AIR Barometer Widget they provide also makes use of these. One issue I had getting this installed is you need Air 1.5.1, and the 1.0.8 version I had wouldn’t auto upgrade correctly.  A little disappointing in that I was expecting a map view, it provides the basics of a total count and cycles through various country stats.

Interoute Barometer Widget

Where the real value  comes form is having another independent source of reporting ( even at the highly granular level) that can be used to correlate observations with my own data sets, and those available form places like dShield and ISC. Maybe I should dust off my old Infocon alert plugin for Firefox and integrate some of this data.

• migrating the host for this blog, along with pretty much all my other FreeBSD boxes to FreeBSD 7.2.
• Trying out the new jail(8) features in 7.2 particularly the multip  ip and ipv6 support
• A move to wordpress 2.8, which while the upgrade was pretty painless Ive ruin into some hastles with plugins that break the nice widget selection system  under the admin panel – most notable of the plugins I’ve notice d causing this is wp-recapcha. Along with this has been a migration to somethign alittle more elegant than the boring Kubric Theme.
• A pilot version of my new squid external_acl  filtering software is being tested by two sites, so far with positive results.

Progress on the phd is plodding on with growing collection of rather interesting images and plots generation that I now need to try fathom and write about. with the university now on vac I should be able to make good progress in this direction.

One of the most fascinating and gripping books I have read in a while is Ed Macy’s Apache, which is well worth a read if you are into military biographies.

During a break after I presented a talk on Cyber warfare last night, I had a number of questions relating to the proported meltdown today -

• “Should we keep our machines off?”
• “How do we stop this?”
• “How do I stop getting infected?”
• “What antivirus must we buy?”

Here in deepest darkest africa, we have two unintended benefits that come form the general means of network engineering done here. Both stem in reality from the paucity of real bandwidth currently (and historically available).  The first is that most organisations block direct port 80/tcp (http) and related port access to the Internet, forcing the requirements to use proxy servers. This cuts off confickers ability to update. In the resedential SOHO market, theoreticlaly direct end to end port 80 access is possible , but more often than not there is a transparent proxy in the way. I doubt ISPs are doing any domain filtering on these however. What works as a means of self limitation is that fact that should any massive wave of attacks spring forth from the SOHO /Residential type users, it will be cut short as they rappidly burn though their “bandwidth cap” – in most cases 1-3 Gig.

What is interesting is what the actual next move will be.  I think its highly unlikley that this will be used for an all-out offensive and then disposed of. The authors have carefully engineered through four releases of the Hybridised Malware, and in essence have made a fairly substantial investment.   The most likely scenario is that tis is yet another botnet for sale – albeit a potentially massive one.

Botnets themselves are nothign new, we have seen what Storm has done ( and is still doing).

For  now we bunker down and wait…..

http://www.infosecsa.co.za

Due dates:

• Abstract submission: 23 March 2009 (1 page)
• Notification of abstract acceptance: 31 March 2009
• Full papers submission for review: 18 April 2009
• Notification of acceptance: 26 May 2009
• Submission of final camera-ready papers: 6 June 2009

Zone-H defaced

No Details on this as yet. Hackers blog has more on the Kaspersky hack which seems to be good old SQL injection.

• tcpreplay is now at version 3.4.0 with a number of significant bugfixes. This staple of packet analysis allows for the replay of captured pcap file back over network interfaces.  Its a great way of having a repeatable test framework, or for explosing yout NIDS system to collected bad traffic.
• picviz 0.5 has been released. I blogged about this before and the project seems to be comming on nicely. Formy own purposes its not much use with my network telescope data, but does produce some pretty pictures for some other work Ive been doing of late. The new version comes with a bumber of new log parsers. A slide deck discussing its use as presented at USENIX 2008 is also available.
• pcapr is the new tool out and describes itself as “web 2.0 meets packets“, and “pcapr does to packets what flickr does to pictures”. If it performs as promised it could make life a lot easier maintinaing libraries of packet captures. The fact its a hosted service does have some distinct disadvantages. Currently there seems to be quote a lot of little snippets. An RSS feed of new content is also available.  Another similar repository s that of openpacket.org
• libtrace while not a new tool as such, is somethign I’ve started workign with recentlyafter comming across it in Dean Pemberton’s MSc Thesis2007 on Internet Background Radiation Arrival Density and Network Telescope Sampling Strategies. The api looks pretty clean and it comes with a couple of nice demo tools which are actually useful.  the URI syntax it uses for accessing files is a little strange but managable.