At 02:52 PM 8/26/2006, J.A. Terranson wrote:
On Fri, 9 Jun 2006, Tyler Durden wrote: <SNIP>
Two Charged in VOIP Hacking Scandal <SNIP> Step One. The men obscured the origin of the calls by sending them through an "intermediary." The feds believe Pena, with help from Moore, scanned the networks of companies all over the world looking for network ports to use for routing calls. The New Jersey U.S. Attorney's Office said it obtained records from AT&T Inc. (NYSE: T - message board) showing that, between June and October of last year, Moore ran more than 6 million scans for those susceptible ports.
ATT had *records* of *port scans*, going back 12-18 *months*??? How?
Go check out AT&T Internet Protect. AT&T started it as a research project a few years ago, logging traffic at AT&T peering points, and it's grown to cover more of the network, and customers can subscribe to summaries and analysis of the traffic data. It logs to&from IP addresses, protocol, to&from ports, timestamp, and maybe another field or two like DSCP/ToS or TCP syn/ack bits or whatever. and yes, there's a big honkin' custom database backend. I don't know which data they keep for how long, though it's at least a month for some of the data. If you remember the EFF suit about AT&T helping NSA eavesdroppers, the descriptions of the "secret" equipment all sound pretty much like the stuff AT&T's had in public sales brochures for a few years, except for the issue of how much access NSA gets to the database. From a research perspective, one of the biggest problems is how to make any sense of that much data and present it in some sort of useful format. One of the measurements that seems to be really valuable is looking at what percentage of traffic is a given protocol, either by bytes/packets/flows, and how much that's changed in the last day/week/month. For instance, back when the Slammer worm came out, there were half a dozen events over the preceding week that were big spikes in UDP 1434, so we knew to build blocking filters. So there'll be a lot of reports like "there's been a big increase in traffic on TCP Port 139", with analysis like "it's related to this week's latest Microsoft vulnerability, and it seems to be a widely distributed search for targets", or "most of it's from the X virus, with a bit left over from the Y virus", or "it's a very focused 10 Gbps attack on a gamer's DSL line coming from the dorms at X university, with a bit of collateral damage if you're nearby." Some of the information is similar to what you'd get from McAfee or SANS, but it's got a different perspective because of the scale of traffic measurement.