[nsp-sec] Anyone else seeing a HUGE increase in TCP/1935 from Limelight Networks
John Fraizer
john at op-sec.us
Mon Jun 16 15:00:09 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Team,
We've suddenly (since about 1600 GMT today) seen a huge increase in inbound traffic - a very unnatural curve on our graphs. I have tracked this via flows to a large influx
of traffic from Limelight networks.
IP range 68.142.64.0 - 68.142.127.255
Network name LLNW-2
Infos Limelight Networks, Inc.
Infos 2220 W. 14th Street
Infos Tempe
Infos AZ
Infos 85281
Country United States (US)
Abuse E-mail ipadmin at limelightnetworks.com
Sample flows filtered on "proto tcp and port 1935 and src net 68.142.0.0/16"
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows
2008-06-16 18:23:29.924 378.964 TCP 68.142.122.184:1935 -> 66.64.210.85:33575 .AP... 0 200 296453 0 6258 1482 13
2008-06-16 18:23:30.932 383.912 TCP 68.142.121.219:1935 -> 69.38.32.34:50660 .AP... 0 158 222868 0 4644 1410 16
2008-06-16 18:23:30.992 322.720 TCP 68.142.121.121:1935 -> 70.46.126.80:3177 .AP... 0 291 313190 0 7763 1076 14
2008-06-16 18:23:31.412 378.588 TCP 68.142.121.219:1935 -> 74.223.197.226:33409 .AP... 0 367 364800 0 7708 994 13
2008-06-16 18:23:32.868 380.904 TCP 68.142.121.199:1935 -> 66.83.42.202:2605 .AP... 0 315 410160 0 8614 1302 9
2008-06-16 18:23:33.176 370.276 TCP 68.142.121.216:1935 -> 66.64.210.85:35280 .AP... 0 241 347725 0 7512 1442 13
2008-06-16 18:23:33.440 365.232 TCP 68.142.121.204:1935 -> 74.223.225.74:53700 .AP... 0 319 452980 0 9922 1420 8
2008-06-16 18:23:33.496 367.996 TCP 68.142.121.218:1935 -> 70.46.165.123:50453 .AP... 0 338 416452 0 9053 1232 13
2008-06-16 18:23:34.664 366.604 TCP 68.142.121.121:1935 -> 74.223.198.218:4482 .AP... 0 279 413545 0 9024 1482 8
2008-06-16 18:23:35.136 339.788 TCP 68.142.121.219:1935 -> 216.215.155.202:4586 .AP... 0 161 220688 0 5195 1370 8
2008-06-16 18:23:35.236 364.720 TCP 68.142.121.121:1935 -> 216.199.241.141:60091 .AP... 0 324 326918 0 7170 1009 13
2008-06-16 18:23:35.296 370.148 TCP 68.142.121.201:1935 -> 66.64.215.254:2563 .AP... 0 213 319500 0 6905 1500 17
2008-06-16 18:23:35.748 380.036 TCP 68.142.81.217:1935 -> 66.49.113.106:31937 .AP... 0 178 267000 0 5620 1500 12
2008-06-16 18:23:36.864 368.604 TCP 68.142.121.220:1935 -> 72.17.211.131:40405 .AP... 0 352 475919 0 10329 1352 14
2008-06-16 18:23:37.020 378.616 TCP 68.142.121.203:1935 -> 66.240.79.162:56643 .AP... 0 270 403542 0 8526 1494 13
2008-06-16 18:23:37.856 372.292 TCP 68.142.121.204:1935 -> 65.97.151.114:15451 .AP... 0 230 333040 0 7156 1448 13
2008-06-16 18:23:37.900 216.204 TCP 68.142.121.201:1935 -> 65.23.112.197:47872 .AP... 0 123 138251 0 5115 1123 6
2008-06-16 18:23:37.936 263.208 TCP 68.142.122.184:1935 -> 216.199.132.122:53247 .AP... 0 247 308057 0 9363 1247 11
2008-06-16 18:23:39.116 330.092 TCP 68.142.121.121:1935 -> 65.97.176.210:1972 .AP... 0 461 560582 1 13586 1216 14
2008-06-16 18:23:40.612 56.332 TCP 68.142.81.217:1935 -> 66.49.113.106:30780 .AP... 0 32 48000 0 6816 1500 2
Summary: total flows: 9646, total bytes: 239.6 M, total packets: 204030, avg bps: 4.9 M, avg pps: 524, avg bpp: 1231
Time window: 2008-06-16 18:23:29 - 2008-06-16 18:29:59
Total flows processed: 3364683, Records skipped: 0, Bytes read: 174966120
Sys: 0.344s flows/second: 9754202.8 Wall: 0.345s flows/second: 9743638.5
Is something going on that I didn't know about? I'm taking on the order of 2Gb/s more inbound traffic than normal as a result of whatever this is. Any explanations would
be greatly appreciated.
John
AS11456 | AS6981
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org
iD8DBQFIVrg5+16lRpJszIgRAsEgAJ97oEqFX+1Y4J55A5QjoGq1JcXOCwCcCy/M
BceOyRZKHwo1k2OBb6Bn1D8=
=n2Us
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list