[isapros] Re: Country by Country ISA Computer Sets
- From: "Crockett, Gregory" <Gregory.Crockett@xxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Thu, 15 May 2008 15:12:59 -0500
I tried importing into 2006 Enterprise - no go. Is there an Enterprise
version?
greg
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Monday, January 14, 2008 4:14 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Country by Country ISA Computer Sets
Recently, David Litchfield asked me to help him out a bit with a
research project he was working on by having me set up a network capture
in my DMZ to log SQL Slammer attacks. I don't publish any services here
at my Santa Cruz facility (meaning there are no required inbound
protocols and no references in DNS anywhere) so I figured it would be
nice "quiet" circuit to use for testing. I basically port-forwarded UDP
1434 to a laptop in my DMZ running NetMon3 also filtering for UDP 1434.
After about 4 days of running NetMon, I had captured almost 30
(verified) random SQL Slammer attacks. What I found interesting was
that every single one of them was sourced in China (all from different
addresses).
Now, it's not my intent to start some geopolitical debate here, but I've
long heard about how some people would block entire countries at the
border in order to obviate issues with malicious traffic. There are
obviously some issues with this (both from a technical and potential
customer standpoint) so I set out to do a bit of research on my own.
First thing I found out was that if one does decide to block entire
countries, that it's going to be a bit of work from a rule standpoint.
Sure, if I wanted to block all of China I could block APNIC, but that
would block WAY more than I would want. So I set about finding a good
resource for country-by-country IP ranges. Fortunately, Wade Alcorn,
one of my colleagues at NGSSoftware turned me on to one that seemed
pretty decent (there are a few around, though). But finding the
resource was just the beginning... The list I got included 234
countries, comprised by almost 100,000 records of IP ranges. Making a
firewall rule to block China, for instance, would require entering in
almost 600 IP ranges - so the "manual" route was clearly out. The thing
is, I just didn't want to block countries without more research, so I
needed a way to gather some statistics first. Enter ISA Server - as
many of you know, I'm a big fan of ISA - it's a true enterprise security
product with great scripting capabilities, so I set to work creating an
automated method by which to create computer sets in ISA for each
country. Basically, I created a SQL database and loaded all the
records into it - I then wrote a little COM app to reach out and grab
the data by countries, create the sets in ISA, and loop through the
different ranges of IP's to add them to the set. It worked great.
This accomplished two things - one, I now have full detailed computer
sets for each country to do with as I please. Secondly, I have an
excellent way of producing detailed reports for traffic analysis in ISA-
this was key. With data collection points set up at different places
around the world, I was able to capture 3.1 million inbound connection
attempts. The results were quite interesting. While China still led
with connection attempts overall, it was interesting to see that Canada
was a close second. However, while China's traffic consisted of SQL
Slammer, HTTP, SMTP, probes for GhostProxy, etc, almost all of Canada's
traffic was MESSENGER spam (UDP 1026,1027,1208). The world leader for
HTTP was Brazil, strangely enough. Now, all of this will change based
on who and where you are, and the types of services being offered. For
example, I only got 5 SMTP connection attempts to my cable modem in a
week, but my ISP in BM got hundreds of thousands (understandably) in the
same time period. I'll whip up some cool reports for what I found and
post them once I get some more data in from different collection points,
but the valuable outcome of the project was the creation of these
individual country-by-country Computer Sets for ISA. Beforehand, I had
no real way of easily and effectively reporting on traffic patterns by
source country. Whether you can or can't block entire countries is
your business, but at least this affords someone an easy way of doing
research. You may not be able to (or even want) to block HTTP from
China, but you very well may want to block SMTP - with ISA and computer
sets, you can easily do this. Even if you don't block anything at all,
you can use the sets to get rich reports of what kind of traffic your
are getting from a particular country. While the validity of the
practice of blocking entire countries (or particular protocols for that
matter) may be up for debate, you now at least have the option to make
your own decision based on factual information - to be sure, you've
always been able to do this obviously, it's just been my experience that
maintaining rule lists by country/protocol has been quite difficult and
time consuming.
I've exported every countries entire list to ISA 2006 .XML format, and
have posted them on the HoG site for community use. Since I've
automated the Set creation process, I'll be updating the sets each month
or so to ensure that changes are processed correctly. I would like to
thank NGSSoftware for purchasing the required business services to
receive the updates - their donation makes it possible for me to give
you updated sets for free.
A full list of all countries' ISA .xml for ISA 2006 is available here:
http://hammerofgod.com/download/ISASets/
The first file is a zip of all countries is you want that one. Go nuts!
t
All mail to and from this domain is scrutinized by GFI.
Other related posts:
