[nsp-sec] Anyone else seeing a HUGE increase in TCP/1935 from Limelight Networks
RuthAnne Bevier
ruthanne at caltech.edu
Mon Jun 16 16:29:29 EDT 2008
We're seeing a little traffic (tcp syn packets) with source port
1935 to our dark nets, but it's not a huge amount, and not
restricted to just one source ASN, fwiw.
--RuthAnne
On Mon, Jun 16, 2008 at 04:13:28PM -0400, Jose Nazario wrote:
> ----------- nsp-security Confidential --------
>
> On Mon, 16 Jun 2008, John Fraizer wrote:
>
> >We've suddenly (since about 1600 GMT today) seen a huge increase in
> >inbound traffic - a very unnatural curve on our graphs. I have tracked
> >this via flows to a large influx of traffic from Limelight networks.
>
> [snip]
>
> nothing like that in ATLAS in the past week. here's aggregate scanning
> from AS22822 in the past 7 days:
>
> ATLAS Network AS Report
> Global
> AS22822 (LLNW)
>
> Scans
> Service, Service Name, Bytes per subnet, Percent Total
> tcp/3072, "TCP/3072", 397.220986, 41.4%
> tcp/1024, "TCP/1024", 396.391351, 41.3%
> udp/7462, "UDP/7462", 66.608967, 6.9%
> udp/25119, "UDP/25119", 32.608354, 3.4%
> udp/53, "UDP/53 (domain)", 7.367262, 0.8%
> tcp/25, "TCP/25 (smtp)", 6.799766, 0.7%
> udp/3552, "UDP/3552", 5.869864, 0.6%
> udp/44694, "UDP/44694", 4.812826, 0.5%
> udp/1341, "UDP/1341", 2.741253, 0.3%
> udp/22334, "UDP/22334", 2.46576, 0.3%
> Other, N/A, 36.382606, 3.8%
>
>
> even 68.142.0.0/16 (which covers a bunch of the flows you showed) don't
> show an uptick in TCP/1935
>
>
> -------------------------------------------------------------
> jose nazario, ph.d. <jose at arbor.net>
> security researcher, office of the CTO, arbor networks
> v: (734) 821 1427 http://asert.arbornetworks.com/
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
--
RuthAnne Bevier
Information Security
California Institute of Technology
626-395-2671
ruthanne at caltech.edu
www.imss.caltech.edu
More information about the nsp-security
mailing list