[nsp-sec] Anyone else seeing a HUGE increase in TCP/1935 fromLimelight Networks

[Smith, Donald]

I ran a netflow report just to see what the timing trend looked like.
This was ALL 1935 not restricted to limelight;)

Times are in GMT.
Numbers can safely be multiplied by 1k to adjust for our sample rate.

Time
0616.05 146238
0616.06 114449
0616.07 85659
0616.08 70307
0616.09 58109
0616.10 66664
0616.11 79053
0616.12 115858
0616.13 156145
0616.14 183778
0616.15 232130
0616.16 806886
0616.17 1340668
0616.18 1612903
0616.19 1772314
0616.20 1323816
0616.21 285369
0616.22 240314
0616.23 252233

Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Rob Thomas
> Sent: Monday, June 16, 2008 3:25 PM
> To: nsp-security NSP
> Subject: Re: [nsp-sec] Anyone else seeing a HUGE increase in 
> TCP/1935 fromLimelight Networks
> 
> ----------- nsp-security Confidential --------
> 
> Isn't it great that A) people actually noticed this increase, 
> and B) we 
> have a forum in which bright minds can discuss it and figure out the 
> root cause?  That wasn't the case a few short years ago.
> 
> Progress++  :)
> 
> 
> 
> Dave Burke wrote:
> > ----------- nsp-security Confidential --------
> > 
> > We saw a 10x increase in tcp/1935 this morning and seeing 
> it drop back
> > to normal levels now. Traffic to/from the limelight /18 was @ normal
> > levels during that time.
> > 
> > dave
> > 
> > Sean Donelan wrote:
> >> ----------- nsp-security Confidential --------
> > 
> >> On Mon, 16 Jun 2008, John Fraizer wrote:
> >>> We've suddenly (since about 1600 GMT today) seen a huge 
> increase in inbound traffic - a very unnatural curve on our 
> graphs.  I have tracked this via flows to a large influx
> >>> of traffic from Limelight networks.
> >> The PGA final round is this afternoon.  Could this be a 
> streaming event?
> > 
> >> TCP/1935 Adobe Macromedia Flash Real Time Messaging Protocol (RTMP)
> >>     "plain" protocol
> > 
> >> Are you seeing it decrease now.  Tiger won.
> > 
> > 
> > 
> > 
> >> _______________________________________________
> >> nsp-security mailing list
> >> nsp-security at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/nsp-security
> > 
> >> Please do not Forward, CC, or BCC this E-mail outside of 
> the nsp-security
> >> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> >> _______________________________________________
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security 
> counter-measures.
> _______________________________________________
> 
> -- 
> Rob Thomas
> Team Cymru
> The WHO and WHY team
> http://www.team-cymru.org/
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.