Week #01
I set up my internet host using Digital Ocean (already had an account and a droplet from a previous class but I renamed and reconfigured some stuff so I can use it for this class as well). I added a firewall too and went through the commands to get the log. Although essentially no time has passed I already had 182 listed logs which wasn't expected(?).
Then I got a broken pipe and reconfigured the time it stays alive, then ran the firewall log commands again and had 57 entries (is it per session?). I put the info into a spreadsheet and ran a few IP addresses that were kind of all over the place (London, Shanghai, Phoenix AZ, Kaunas [Lithuania] and many more). But I decided to let it run for a day or two and see what's happening then.
I redid this the next day and had 2550 entries! I took the last 256 and tried analyzing it with a spreadsheet.
I started with seeing how many unique source IP addresses I have. Out of the 255 I was analyzing, 202 were unique — meaning 52 addresses attempted connection to my host more than once (Does this mean they're a bigger actor? That these are bots? Or maybe they are actually smaller actors because they operate from the same address?).
I've noticed that besides those that were exactly the same, a lot of IP addresses were using the same network but different hosts. Does it mean they're different machines on the same network? Or same geographical area?
As a little experiment I looked at two addresses that had the same first number but a different second numer. They both had attempted connections multiple times with different machines.
Going down that rabbit hole for a minute — I've looked at the domains that are hosted on one of the IP addresses mentioned above:
I then tried going to some of these URLs but was (I guess thankfully??) stopped by my internet provider:
I did look through a couple more IP addresses — one was pointing to this cyber research website. A bunch more were pointing to all sorts of cyber / cloud / network management platforms / services.
Except for the source IP I also tried seeing if any other info could be significant. I looked at the source port: they were mostly unique (or random) but some repeated a bunch of times so I filtered the ones that occurred more than once and used a table to make it clear:
I then googled the port numbers:
Port 61000: " Port number 61000 is the last port in the ephemeral port range, which is used by appliances to send data over TCP and UDP. Ephemeral ports are used when an application needs to make a network connection but doesn't need to assign a specific port number. The operating system chooses a port number dynamically at the time of the request. The default ephemeral port range for Linux is 32768 to 61000."
I wonder what it means that there were this many attempts through that port to access my host — why the last port? Does it mean the machine behind this has also utilized many of its other ports? In any case I assume this is some kind of automated query, maybe like some big bot or a crawler?
The rest of the recurring ports seem to be just unassigned TCP ports. They weren't repeating that many times so could be a coincidence or a smaller bot / crawler I guess.
The entries that used 61000 as their port had a couple of different IP addresses, but one was occurring more than others, and it points to Amsterdam(?)
When I was looking at the info I can get for my own hosted IP address I also did not have a host name. The location was a bit off but the org pointed to Digital Ocean which was right. I also looked at other domains hosted on the same AS number — it looked like a lot of them weren't really active. But I also saw some more legit-looking websites like whois.uk or some Thai marketing company. I could only get the first entries on that Hosted Domains list, and it is sorted by number of domains so I do wonder about the difference with the sites on the end of that list.
