[nsp-sec] Anyone else seeing a HUGE increase in TCP/1935 from Limelight Networks

Sweeney, William- CIPS Bill_Sweeney at cable.comcast.com
Mon Jun 16 16:37:53 EDT 2008 

We're seeing a large surge of port 1935 traffic too, I haven't dissected
the source yet.

-Bill

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of John Fraizer
Sent: Monday, June 16, 2008 3:00 PM
To: nsp-security NSP
Subject: [nsp-sec] Anyone else seeing a HUGE increase in TCP/1935 from
Limelight Networks

----------- nsp-security Confidential --------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Team,

We've suddenly (since about 1600 GMT today) seen a huge increase in
inbound traffic - a very unnatural curve on our graphs.  I have tracked
this via flows to a large influx
of traffic from Limelight networks.

IP range      68.142.64.0 - 68.142.127.255
Network name  LLNW-2
Infos         Limelight Networks, Inc.
Infos         2220 W. 14th Street
Infos         Tempe
Infos         AZ
Infos         85281
Country       United States (US)
Abuse E-mail  ipadmin at limelightnetworks.com


Sample flows filtered on "proto tcp and port 1935 and src net
68.142.0.0/16"

Date flow start          Duration Proto      Src IP Addr:Port
Dst IP Addr:Port   Flags Tos  Packets    Bytes      pps      bps    Bpp
Flows
2008-06-16 18:23:29.924   378.964 TCP     68.142.122.184:1935  ->
66.64.210.85:33575 .AP...   0      200   296453        0     6258   1482
13
2008-06-16 18:23:30.932   383.912 TCP     68.142.121.219:1935  ->
69.38.32.34:50660 .AP...   0      158   222868        0     4644   1410
16
2008-06-16 18:23:30.992   322.720 TCP     68.142.121.121:1935  ->
70.46.126.80:3177  .AP...   0      291   313190        0     7763   1076
14
2008-06-16 18:23:31.412   378.588 TCP     68.142.121.219:1935  ->
74.223.197.226:33409 .AP...   0      367   364800        0     7708
994    13
2008-06-16 18:23:32.868   380.904 TCP     68.142.121.199:1935  ->
66.83.42.202:2605  .AP...   0      315   410160        0     8614   1302
9
2008-06-16 18:23:33.176   370.276 TCP     68.142.121.216:1935  ->
66.64.210.85:35280 .AP...   0      241   347725        0     7512   1442
13
2008-06-16 18:23:33.440   365.232 TCP     68.142.121.204:1935  ->
74.223.225.74:53700 .AP...   0      319   452980        0     9922
1420     8
2008-06-16 18:23:33.496   367.996 TCP     68.142.121.218:1935  ->
70.46.165.123:50453 .AP...   0      338   416452        0     9053
1232    13
2008-06-16 18:23:34.664   366.604 TCP     68.142.121.121:1935  ->
74.223.198.218:4482  .AP...   0      279   413545        0     9024
1482     8
2008-06-16 18:23:35.136   339.788 TCP     68.142.121.219:1935  ->
216.215.155.202:4586  .AP...   0      161   220688        0     5195
1370     8
2008-06-16 18:23:35.236   364.720 TCP     68.142.121.121:1935  ->
216.199.241.141:60091 .AP...   0      324   326918        0     7170
1009    13
2008-06-16 18:23:35.296   370.148 TCP     68.142.121.201:1935  ->
66.64.215.254:2563  .AP...   0      213   319500        0     6905
1500    17
2008-06-16 18:23:35.748   380.036 TCP      68.142.81.217:1935  ->
66.49.113.106:31937 .AP...   0      178   267000        0     5620
1500    12
2008-06-16 18:23:36.864   368.604 TCP     68.142.121.220:1935  ->
72.17.211.131:40405 .AP...   0      352   475919        0    10329
1352    14
2008-06-16 18:23:37.020   378.616 TCP     68.142.121.203:1935  ->
66.240.79.162:56643 .AP...   0      270   403542        0     8526
1494    13
2008-06-16 18:23:37.856   372.292 TCP     68.142.121.204:1935  ->
65.97.151.114:15451 .AP...   0      230   333040        0     7156
1448    13
2008-06-16 18:23:37.900   216.204 TCP     68.142.121.201:1935  ->
65.23.112.197:47872 .AP...   0      123   138251        0     5115
1123     6
2008-06-16 18:23:37.936   263.208 TCP     68.142.122.184:1935  ->
216.199.132.122:53247 .AP...   0      247   308057        0     9363
1247    11
2008-06-16 18:23:39.116   330.092 TCP     68.142.121.121:1935  ->
65.97.176.210:1972  .AP...   0      461   560582        1    13586
1216    14
2008-06-16 18:23:40.612    56.332 TCP      68.142.81.217:1935  ->
66.49.113.106:30780 .AP...   0       32    48000        0     6816
1500     2
Summary: total flows: 9646, total bytes: 239.6 M, total packets: 204030,
avg bps: 4.9 M, avg pps: 524, avg bpp: 1231
Time window: 2008-06-16 18:23:29 - 2008-06-16 18:29:59
Total flows processed: 3364683, Records skipped: 0, Bytes read:
174966120
Sys: 0.344s flows/second: 9754202.8  Wall: 0.345s flows/second:
9743638.5


Is something going on that I didn't know about?  I'm taking on the order
of 2Gb/s more inbound traffic than normal as a result of whatever this
is.  Any explanations would
be greatly appreciated.

John
AS11456 | AS6981





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iD8DBQFIVrg5+16lRpJszIgRAsEgAJ97oEqFX+1Y4J55A5QjoGq1JcXOCwCcCy/M
BceOyRZKHwo1k2OBb6Bn1D8=
=n2Us
-----END PGP SIGNATURE-----


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

More information about the nsp-security mailing list