Here we are looking at a filter that
recently made the ThreatLinQ “Movers and Shakers” list, namely filter 1401 “MS-SQL:
Login Failure.” We began watching this filter around 7-20-08 and it seems that it was just in time. On 7-21-08
we saw a sharp increase in filter hits and the majority of these hits are unique destination IP addressees, which is denoted by the blue bar.
This pattern is often indicative of brute force attacks and
distributed denial of service (DDoS) attacks. Drilling down into this data,
we see that the top source IP address 82.165.180.111 is responsible
for this spike in hits. Further investigation into this IP address
shows that there are a number of source ports in the ephemeral range
and each of these ports sees approximately the same number of hits.
This even port distribution seems to corroborate our assumption that
this is indeed a brute force attack. I did a bit more research on port patterns used by various SQL brute forcing tools and I found a number of matches in the ThreatLinQ dataset that could be attributed to the sqlping3 tool.I hope this example shows how ThreatLinQ users can take a specific feature of interest in a top level graph, and by drilling down into the data, formulate a verifiable sequence of events in a matter of minutes.
