Firewall Analysis

November 5, 2019Understanding Networks

Prompt

Run your Linux host for several days, with a firewall in place and a public IP address. Make a table of all the IP addresses that attempt to connect to your host. Compile information about them. Where are they located? What organizations are they associated with, at all? What service providers are providing their IP addresses?

Process

I used my Linux host that I set up with Digital Ocean for this assignment. I followed the instructions here: https://itp.nyu.edu/networks/tutorials/setting-up-a-firewall-on-an-embedded-linux-device/. At first I had trouble seeing any logs of my firewall - turns out I had actually set up a firewall service on digital ocean two months ago and forgot about it. Turning that off on Digital Ocean seemed to do the trick.

I let my firewall run for about 3 to 4 days, but I was only able to do my analysis on 2 days worth of logs since I had trouble downloading the extra files containing past logs.

I used python to analyze each blocked request to my server, and used the ipinfo API to request the identity of the sources of each request.

Insights

The API gave information to where the IPs that made requests to my server were located. I organized the requests by country, sorted by how many requests were made from each.

Top 20 Sources of requests to my server

  1. US (United States) , 1655 times.
  2. NL (Netherlands) , 1058 times.
  3. CN (China) , 1051 times.
  4. RU (Russia) , 994 times.
  5. DE (Germany) , 453 times.
  6. RO (Romania) , 311 times.
  7. UA (Ukraine) , 277 times.
  8. TW (Taiwan) , 188 times.
  9. HR (Croatia), 149 times.
  10. GB (United Kingdom) , 108 times.
  11. FR (France) , 104 times.
  12. CA (Canada) , 94 times.
  13. SG (Singapore) , 90 times.
  14. VN (Vietnam) , 89 times.
  15. IN (India), 81 times.
  16. BR (Brazil), 71 times.
  17. MD (Moldova, Republic of), 71 times.
  18. PL (Poland), 67 times.
  19. KR (Korea), 64 times.
  20. HK (Hong Kong), 64 times.

From the US, here were some top companies that made requests:

  • Digital Ocean
  • Google LLC
  • Arbor Networks
  • Merit Network
  • Hurricane Electric LLC

From the NL, most of the requests were by "IP Volume inc / Incrediserve LTD".

From Russia, most of the requests were from "AS202984 Chernyshov Aleksandr Aleksandrovich" and"AS49505 OOO Network of data-centers Selectel". I'm surprised to see such a personal name in these logs, especially since most are so infrastructurally related.

The API also gave a way to tell what type of business was associated with the servers that tried to connect to me. Of course, "business" is the most popular type of business - I'm interested in seeing what they mean specifically by this.

Top Business Types seen by my server:

  1. business , 3340 times.
  2. isp , 2107 times.
  3. hosting , 2047 times.
  4. education , 272 times.
  5. company type , 1 times.