[nsp-sec] Increased in HP OV NMM scanning (tcp/2954)

Matthew.Swaar at us-cert.gov Matthew.Swaar at us-cert.gov
Tue Apr 15 16:30:30 EDT 2008 

Heyo, NSP-SEC!

I'll dogpile with what I've seen for April so far.  TCP-SYN 2954:

               Date|          Records|                Bytes|
Packets|
2008/04/01T00:00:00|            53.00|             59980.00|
1006.00|
2008/04/02T00:00:00|            13.00|              5982.00|
137.00|
2008/04/03T00:00:00|            30.00|           1366667.00|
3345.00|
2008/04/04T00:00:00|             7.00|           1040419.00|
25546.00|
2008/04/05T00:00:00|             5.00|              4092.00|
84.00|
2008/04/06T00:00:00|             3.00|             30341.00|
567.00|
2008/04/07T00:00:00|           191.00|             17109.00|
341.00|
2008/04/08T00:00:00|             6.00|             61289.00|
1396.00|
2008/04/09T00:00:00|            12.00|              9951.00|
186.00|
2008/04/10T00:00:00|        162756.00|          13974334.00|
296604.00|
2008/04/11T00:00:00|         17019.00|           1535653.00|
34923.00|
2008/04/12T00:00:00|             9.00|              6863.00|
156.00|
2008/04/13T00:00:00|             7.00|              6924.00|
152.00|
2008/04/14T00:00:00|           175.00|             16613.00|
283.00|
2008/04/15T00:00:00|             9.00|           4238975.00|
3465.00| 

Notable IPs:
IP | Bytes | Packets | Flows | Earliest Seen | Latest Seen
12.21.167.70|            11068944|    230603|
129980|2008/04/10T00:16:32|2008/04/10T20:29:12|
64.107.162.3|             2900248|     65915|
32757|2008/04/10T11:25:28|2008/04/10T11:37:53|

V/R,
Matt Swaar

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Rob Thomas
Sent: Tuesday, April 15, 2008 4:18 PM
To: nsp-security NSP
Subject: Re: [nsp-sec] Increased in HP OV NMM scanning (tcp/2954)

----------- nsp-security Confidential --------

Hi, team.

Looking only at TCP SYN flows for TCP 2954, the counts definitely
increased on 2008-04-10 UTC, with a noticeable increase on 2008-04-06
UTC.  2008-04-11 UTC was a banner day, it appears.

Date          Count
2008-04-01     9301
2008-04-02     9317
2008-04-03    11808
2008-04-04    11581
2008-04-05    10108
2008-04-06    15067
2008-04-07    16931
2008-04-08    19126
2008-04-09    20700
2008-04-10    57133
2008-04-11   149495
2008-04-12    16630
2008-04-13    16700
2008-04-14    31105
2008-04-15    44881

Note that this will include some legitimate HP OV connectivity, of
course, but the scale is telling.

Thanks,
Rob.
--
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/



_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

More information about the nsp-security mailing list