[nsp-sec] Anyone else seeing a HUGE increase in TCP/1935 from Limelight Networks

John Fraizer john at op-sec.us
Mon Jun 16 16:26:32 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jose,

I'm not sure what this is but, it is consistently sourcing from TCP/1935 with large flows.  Looking at a single target host on my network, I see the following in a sample
window:

Samples are 1:1000

proto tcp and port 1935 and host 68.143.163.45
Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Flags Tos  Packets    Bytes      pps      bps    Bpp Flows
2008-06-16 17:35:02.876     6.108 TCP      216.66.33.109:1935  ->    68.143.163.45:33477 .AP...   0        7     6321        1     8278    903     2
2008-06-16 17:35:04.200     3.068 TCP      68.143.163.45:33477 ->    216.66.33.109:1935  .A....   0        3      120        0      312     40     1
2008-06-16 17:39:19.968  1778.384 TCP      68.143.163.45:33719 ->   68.142.121.203:1935  .A....   0      408    17680        0       79     43    25
2008-06-16 17:39:21.980  1815.140 TCP     68.142.121.203:1935  ->    68.143.163.45:33719 .AP...   0     1470    1.2 M        0     5565    858    51
2008-06-16 17:40:55.468    13.284 TCP     72.247.242.118:1935  ->    68.143.163.45:33814 .A....   0       28    40542        2    24415   1447     2
2008-06-16 17:41:18.980  1702.328 TCP     64.215.158.149:1935  ->    68.143.163.45:33842 .AP...   0     1258    1.8 M        0     8671   1466    47
2008-06-16 17:46:04.996    25.692 TCP     72.247.242.119:1935  ->    68.143.163.45:34048 .A....   0       27    40500        1    12610   1500     2
2008-06-16 17:46:37.008     0.000 TCP      209.170.95.91:1935  ->    68.143.163.45:34108 .A....   0        1     1500        0        0   1500     1
2008-06-16 18:00:06.656    18.016 TCP     72.247.242.118:1935  ->    68.143.163.45:34923 .A..S.   0       23    33052        1    14676   1437     2
2008-06-16 18:00:32.272   514.892 TCP      68.143.163.45:34944 ->      77.67.2.135:1935  .A..S.   0       55     3880        0       60     70     9
2008-06-16 18:00:34.228   520.372 TCP        77.67.2.135:1935  ->    68.143.163.45:34944 .AP...   0      154   222947        0     3427   1447    16
2008-06-16 18:02:31.980    27.516 TCP     72.247.242.118:1935  ->    68.143.163.45:34993 .A....   0       21    31500        0     9158   1500     2
2008-06-16 18:03:02.916   355.308 TCP       12.23.120.79:1935  ->    68.143.163.45:35018 .AP...   0      291   434216        0     9776   1492    11
2008-06-16 18:03:03.160   356.336 TCP      68.143.163.45:35018 ->     12.23.120.79:1935  .A....   0       66     2824        0       63     42     6
2008-06-16 18:05:46.264     3.412 TCP     72.247.242.134:1935  ->    68.143.163.45:35113 .A....   0        5     7500        1    17584   1500     2
Summary: total flows: 179, total bytes: 3.8 M, total packets: 3817, avg bps: 15205, avg pps: 1, avg bpp: 1034
Time window: 2008-06-16 17:33:32 - 2008-06-16 18:09:58
Total flows processed: 22852332, Records skipped: 0, Bytes read: 1188338892
Sys: 2.969s flows/second: 7695559.1  Wall: 27.890s flows/second: 819360.2



John

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iD8DBQFIVsx4+16lRpJszIgRArLOAJ42ux7UJYpGOlZ0pkdidruz1de2agCfbqdP
uunOpEZm/Fz+ln3sq60FTE0=
=3Q17
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list