[nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
Smith, Donald
Donald.Smith at qwest.com
Tue Apr 15 13:57:01 EDT 2008
For an enterprise your approach makes sense.
However, the netflow I am using is from all our peering locations and
sampled but it covers a VERY large portion of the internet especially
traffic that starts on one tier 1,2 or 3 ISP and lands on another.
It is HUGE and many of the IP addresses involved are not Qwest or Qwest
customer IP addresses so I don't know which are really open view servers
and which are scanning/exploiting.
If I see anything that stands out and can be used as a netflow filter I
will let this group know.
RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: david.harcourt at bt.com [mailto:david.harcourt at bt.com]
> Sent: Tuesday, April 15, 2008 11:33 AM
> To: Smith, Donald; joel at columbia.edu;
> rolf.gartmann at switch.ch; nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
>
> I'd have thought you'd have a list of recognised servers, and
> then anything other is either a misconfigured server
> elsewhere probing too far, or an attack. Either way you
> wouldn't want them...
>
> Dave
>
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> <nsp-security-bounces at puck.nether.net>
> To: Joel Rosenblatt <joel at columbia.edu>; Rolf Gartmann
> <rolf.gartmann at switch.ch>; NSP Security List
> <nsp-security at puck.nether.net>
> Sent: Tue Apr 15 18:11:40 2008
> Subject: Re: [nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
>
> ----------- nsp-security Confidential --------
>
> Just for my own understanding how do you determine if these are legit
> traffic or actual scanning/exploit attempts?
>
> I have run a couple of flow queries and some of the traffic I
> am seeing
> does not look like scanning nor exploit attempts.
> I see some sourced from well know ports (80 etc...) towards 2954.
> Others I see are 1 to 1 communications. Established connections where
> one host talks to another the whole time.
> That could be exploit attempts but then the exploit tool must need to
> try lots of combinations (dozens - several hundred).
>
>
> Based on a quick review of the released tool it appears to
> only need to
> be run one time and only sends a few packets with a few
> hundred bytes of
> exploit code and reverse shell code.
>
> I am not picking on Joel here just trying to figure out if I can use
> netflow to detect the actual attackers.
>
>
>
> RM=for(1)
> {manage_risk(identify_risk(product[i++]) &&
> (identify_threat[product[i++]))}
> Donald.Smith at qwest.com giac
>
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> > Joel Rosenblatt
> > Sent: Tuesday, April 15, 2008 10:07 AM
> > To: Rolf Gartmann; NSP Security List
> > Subject: Re: [nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
> >
> > ----------- nsp-security Confidential --------
> >
> > Here are some current (right now) counts
> >
> > [joel at geoduck ~]$ /cflow/bin/audit/port_query.pl -p2954 -r6 -n10
> > # --- ---- ---- Report Information --- --- ---
> > #
> > # Title: Outgoing Scanning Sources
> > # Fields: Total
> > # Symbols: Disabled
> > # Sorting: Descending Field 1
> > # Name: Source IP
> > #
> > # Args: flow-stat -f9 -S1 -T Outgoing Scanning Sources
> > #
> > #
> > # IPaddr flows octets packets
> > #
> > 128.59.48.6 9 10962 140
> > 128.59.20.226 7 3945 36
> > 128.59.48.36 5 86652 89
> > 160.39.137.184 5 3092 25
> > 160.39.201.175 5 781 12
> > 128.59.176.131 4 1975 20
> > 128.59.48.24 3 38679 47
> > 128.59.59.177 3 512 11
> > 128.59.199.87 3 811 16
> > 160.39.4.62 3 1667 13
> > 160.39.240.66 3 340 7
> > 160.39.80.42 2 1662 15
> > 128.59.28.83 2 184 4
> > 156.111.139.12 2 452 8
> > 160.39.201.69 2 3643425 2831
> > 160.39.54.156 2 340 6
> > 160.39.138.139 2 765 9
> > 128.59.84.23 2 3496 10
> > 128.59.48.4 2 1744 14
> > 128.59.20.228 2 736 7
> > 160.39.96.47 2 2818 15
> > 128.59.64.30 1 96388 69
> > 128.59.59.89 1 138 3
> > 128.59.111.11 1 192210 132
> > 128.59.178.184 1 262 5
> >
> > # --- ---- ---- Report Information --- --- ---
> > #
> > # Title: Outgoing Scanning Recipient ASNs
> > # Fields: Total
> > # Symbols: Disabled
> > # Sorting: Descending Field 1
> > # Name: Destination AS
> > #
> > # Args: flow-stat -f20 -S1 -T Outgoing Scanning Recipient ASNs
> > #
> > #
> > # dst AS flows octets packets
> > #
> > 4134 9 362777 276
> > 12322 5 3646377 2853
> > 3462 4 895 12
> > 9800 3 859 11
> > 9318 3 3718 60
> > 8167 3 564 10
> > 7482 3 1667 13
> > 4766 3 22016 27
> > 4538 3 322 7
> > 3320 3 385 8
> > 33491 2 782 8
> > 29738 2 140 3
> > 20057 2 184 4
> > 15169 2 86330 82
> > 9498 2 733 10
> > 4808 2 577 8
> > 4788 2 16987 27
> > 35908 1 1045 13
> > 34383 1 480 5
> > 33657 1 599 7
> > 29687 1 289 5
> > 23898 1 437 5
> > 23700 1 138 3
> > 21844 1 1312 16
> > 20115 1 769 5
> >
> > # --- ---- ---- Report Information --- --- ---
> > #
> > # Title: Incoming Scanning Sources
> > # Fields: Total
> > # Symbols: Disabled
> > # Sorting: Descending Field 1
> > # Name: Source IP
> > #
> > # Args: flow-stat -f9 -S1 -T Incoming Scanning Sources
> > #
> > #
> > # IPaddr flows octets packets
> > #
> > 125.118.56.251 24 3910 85
> > 86.140.154.46 4 3843 76
> > 72.14.247.83 4 2110 25
> > 64.233.185.83 4 2435 24
> > 66.102.1.91 3 44346 40
> > 87.11.3.52 2 280 6
> > 212.58.226.20 2 18832 17
> > 204.11.109.22 2 8827 10
> > 216.52.175.141 2 6040 13
> > 66.249.83.83 2 4085 10
> > 61.135.151.77 2 92 2
> > 77.247.176.154 2 1555 10
> > 68.253.191.194 1 138 3
> > 67.107.161.4 1 30094 30
> > 219.152.120.80 1 48 1
> > 211.234.241.139 1 6138 9
> > 8.6.12.121 1 5107886 3410
> > 216.73.87.52 1 1908 4
> > 211.206.120.106 1 2356 6
> > 208.111.129.11 1 119326 82
> > 69.28.154.242 1 775 4
> > 209.170.120.43 1 545 4
> > 77.247.176.134 1 413 5
> > 129.206.100.212 1 46 1
> > 67.228.59.227 1 2307 7
> >
> > # --- ---- ---- Report Information --- --- ---
> >
> >
> > --On Tuesday, April 15, 2008 5:29 PM +0200 Rolf Gartmann
> > <rolf.gartmann at switch.ch> wrote:
> >
> > > ----------- nsp-security Confidential --------
> > >
> > > from the fingers of jose nazario on 15.4.2008 17:14 Uhr:
> > >> ----------- nsp-security Confidential --------
> > >>
> > >> Following publication of the exploit code for the HP OV
> > NMM buffer overflow
> > >> on TCP/2954, we're seeing a spike in attackers now for
> > this port. This
> > >> follows a smaller bump last week when the code was a) not
> > working well and
> > >> b) possibly working exploit code was not so public. Via
> > ATLAS, here are the
> > >> top hosts scanning:
> > >>
> > >> Host Bytes per subnet Percentage
> > >> 85.25.146.193 2.09 kB 84.6%
> > >> 80.233.240.24 186.94 B 7.6%
> > >> 62.77.76.167 60.20 B 2.4%
> > >> 195.246.222.16 53.74 B 2.2%
> > >> 193.93.27.17 37.02 B 1.5%
> > >> 89.146.16.26 28.20 B 1.1%
> > >> 80.123.116.21 7.26 B 0.3%
> > >> 62.244.213.210 5.34 B 0.2%
> > >> 212.241.176.186 0.33 B 0.0%
> > >> 85.196.83.12 0.16 B 0.0%
> > >> Other 0 B 0.0%
> > >> This is all since 01:50 UTC today.
> > >
> > > I can throw in some stats from our Darkspace:
> > >
> > > 2008-04-10 11:10 29658
> > > 2008-04-10 11:15 37669
> > > 2008-04-10 11:20 27340
> > > 2008-04-11 00:45 7706
> > > 2008-04-11 00:50 11555
> > > 2008-04-11 01:00 10340
> > > 2008-04-11 02:10 78
> > > 2008-04-15 07:40 11262
> > > 2008-04-15 07:45 18584
> > >
> > > checking from 2008-04-08 till now, numbers are pkts/5min
> > > (timestamps UTC+2)
> > >
> > > -
> > > Rolf
> > >
> > >> Exploit code is here:
> > >>
> > >> http://www.milw0rm.com/exploits/5445
> > >>
> > >> - jose
> > >>
> > >>
> > >>
> > >>
> > >> _______________________________________________
> > >> nsp-security mailing list
> > >> nsp-security at puck.nether.net
> > >> https://puck.nether.net/mailman/listinfo/nsp-security
> > >>
> > >> Please do not Forward, CC, or BCC this E-mail outside of
> > the nsp-security
> > >> community. Confidentiality is essential for effective
> > Internet security counter-measures.
> > >> _______________________________________________
> > >
> > >
> > > --
> > > SWITCH
> > > Serving Swiss Universities
> > > --------------------------
> > > Rolf Gartmann, Security Engineer, Member of SWITCH-CERT
> > > PGP fingerprint: 4602 9CC2 6C04 5DF0 3A05 7609 BC09 45A2 2E0E CA35
> > > SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
> > > http://www.switch.ch/cert/
> > >
> > >
> > > _______________________________________________
> > > nsp-security mailing list
> > > nsp-security at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/nsp-security
> > >
> > > Please do not Forward, CC, or BCC this E-mail outside of
> > the nsp-security
> > > community. Confidentiality is essential for effective
> > Internet security counter-measures.
> > > _______________________________________________
> >
> >
> >
> > Joel Rosenblatt, Manager Network & Computer Security
> > Columbia Information Security Office (CISO)
> > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > http://www.columbia.edu/~joel
> >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the
> > nsp-security
> > community. Confidentiality is essential for effective
> > Internet security counter-measures.
> > _______________________________________________
> >
> >
>
>
> This communication is the property of Qwest and may contain
> confidential or
> privileged information. Unauthorized use of this
> communication is strictly
> prohibited and may be unlawful. If you have received this
> communication
> in error, please immediately notify the sender by reply
> e-mail and destroy
> all copies of the communication and any attachments.
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list