[nsp-sec-jp] Increased TCP/5000 Activity

[Taka Mizuguchi]

nsp-sec-jp各位、

IMSのメンバ（Danny McPherson）からのレポートです。

tcp/5000ポートに対するトラフィックとソースアドレスの異常な増加が
IMSで検知された。ホストの数は極端に多く数千に達している。攻撃は、
簡単なSYNスキャンでポートのレンジも広く、再送が起こるという動作
です。これはWindows-baseのツールで可能です。

ということで、皆さんのネットワークでもお気を付け下さい。


-----
Folks,
We have detected an unusual increase in both the traffic and number of 
sources contacting tcp/5000 over the past few days on all IMS sensors.  
The number of hosts is quite large and appears to in the thousands.  
The behavior appears to be a simple syn scan and, given the emphereal 
port range and the retransmission behavior, it could to be 
Windows-based tool.

01-11-2005 01:42:22 0005a1f4 220.192.110.239 4117 A.B.C.50 5000 TCP 
-S------ 1296947564 0
01-11-2005 01:42:23 0005a24c 220.192.110.239 4117 A.B.C.50 5000 TCP 
----A--- 1296947565 2137390756
01-11-2005 01:42:24 0005a274 220.192.110.239 4117 A.B.C.50 5000 TCP 
F---A--- 1296947565 2137390756
01-11-2005 01:42:26 0005a29c 220.192.110.239 4117 A.B.C.50 5000 TCP 
F---A--- 1296947565 2137390756
01-11-2005 01:42:34 0005a2ec 220.192.110.239 4117 A.B.C.50 5000 TCP 
F---A--- 1296947565 2137390756
01-11-2005 01:42:45 0005a4dc 220.192.110.239 4117 A.B.C.50 5000 TCP 
F---A--- 1296947565 2137390756
01-11-2005 01:43:09 0005a69c 220.192.110.239 4117 A.B.C.50 5000 TCP 
F---A--- 1296947565 2137390756
01-11-2005 01:43:57 0005affc 220.192.110.239 4117 A.B.C.50 5000 TCP 
F---A--- 1296947565 2137390756

01-11-2005 00:10:15 00008d4c 80.136.229.69 4109 A.B.C.50 5000  TCP  
-S------ 644319027 0
01-11-2005 00:10:16 00008da8 80.136.229.69 4109 A.B.C.50 5000  TCP  
----A--- 644319028 2255408830
01-11-2005 00:10:16 00008dd0 80.136.229.69 4109 A.B.C.50 5000  TCP  
F---A--- 644319028 2255408830
01-11-2005 00:10:18 00008e2c 80.136.229.69 4109 A.B.C.50 5000  TCP  
F---A--- 644319028 2255408830
01-11-2005 00:10:37 00009368 80.136.229.69 4109 A.B.C.50 5000  TCP  
F---A--- 644319028 2255408830
01-11-2005 00:11:00 0000975c 80.136.229.69 4109 A.B.C.50 5000  TCP  
F---A--- 644319028 2255408830
01-11-2005 00:11:48 00009e04 80.136.229.69 4109 A.B.C.50 5000  TCP  
F---A--- 644319028 2255408830

An interesting feature of the event is the targeting behavior.  The 
sources appear to only target a single IP address in each /24.  Whether 
it is by design or a bug in the tools is hard to say.  As of today on 
one sensor, 96% of hosts sending packets to a certain /24 on port 5000 
are targeting one specific IP.

Are other folks seeing this activity as well?

-danny (IMS)

[jpeg attached, assuming it makes it through]


-----
Taka Mizuguchi
taka ＠ ntt.net


--------------------- Original Message Ends --------------------

-----
Taka Mizuguchi
taka ＠ ntt.net