"A million bucks in stolen calls"...Details
Bill Stewart
bill.stewart at pobox.com
Sat Aug 26 21:59:07 PDT 2006
At 02:52 PM 8/26/2006, J.A. Terranson wrote:
>On Fri, 9 Jun 2006, Tyler Durden wrote:
><SNIP>
> > Two Charged in VOIP Hacking Scandal
><SNIP>
> > Step One. The men obscured the origin of the calls by sending them through
> > an "intermediary." The feds believe Pena, with help from Moore, scanned the
> > networks of companies all over the world looking for network ports to use
> > for routing calls. The New Jersey U.S. Attorney's Office said it obtained
> > records from AT&T Inc. (NYSE: T - message board) showing that, between June
> > and October of last year, Moore ran more than 6 million scans for those
> > susceptible ports.
>
>ATT had *records* of *port scans*, going back 12-18 *months*???
>How?
Go check out AT&T Internet Protect.
AT&T started it as a research project a few years ago,
logging traffic at AT&T peering points, and it's grown to cover
more of the network, and customers can subscribe to
summaries and analysis of the traffic data.
It logs to&from IP addresses, protocol, to&from ports,
timestamp, and maybe another field or two like DSCP/ToS
or TCP syn/ack bits or whatever.
and yes, there's a big honkin' custom database backend.
I don't know which data they keep for how long,
though it's at least a month for some of the data.
If you remember the EFF suit about AT&T helping NSA eavesdroppers,
the descriptions of the "secret" equipment all sound pretty
much like the stuff AT&T's had in public sales brochures for
a few years, except for the issue of how much access
NSA gets to the database.
From a research perspective, one of the biggest problems is
how to make any sense of that much data and present it in
some sort of useful format. One of the measurements that
seems to be really valuable is looking at what percentage
of traffic is a given protocol, either by bytes/packets/flows,
and how much that's changed in the last day/week/month.
For instance, back when the Slammer worm came out,
there were half a dozen events over the preceding week
that were big spikes in UDP 1434, so we knew to build blocking filters.
So there'll be a lot of reports like "there's been a big increase
in traffic on TCP Port 139", with analysis like
"it's related to this week's latest Microsoft vulnerability,
and it seems to be a widely distributed search for targets", or
"most of it's from the X virus, with a bit left over from the Y virus", or
"it's a very focused 10 Gbps attack on a gamer's DSL line
coming from the dorms at X university,
with a bit of collateral damage if you're nearby."
Some of the information is similar to what you'd get from
McAfee or SANS, but it's got a different perspective because
of the scale of traffic measurement.
More information about the cypherpunks-legacy
mailing list