[nsp-sec] TCP-23 Increase

Jose Nazario jose at arbor.net
Mon Jun 30 15:01:16 EDT 2008 

On Mon, 30 Jun 2008, Matthew.Swaar at us-cert.gov wrote:

> I'm working on comparing Ips across multiple days, see if it's a 
> relatively static handful doing this.  The traffic appears to be mostly 
> 60bpp SYN scanning, with some SYN-RST thrown in.

no increase here in ATLAS in the past week.

top IPs:

Host, Host Name, Attacks per subnet, Percent Total
67.135.29.143, "67.135.29.143 (143.29.135.67.in-addr.arpa)", 2.18, 2.1%
15.235.211.254, "15.235.211.254", 0.69, 0.7%
218.154.68.96, "218.154.68.96", 0.68, 0.7%
124.30.116.190, "124.30.116.190 (190.116.30.124.in-addr.arpa)", 0.63, 0.6%
192.118.45.2, "192.118.45.2", 0.59, 0.6%
15.243.163.254, "15.243.163.254 (254.163.243.15.in-addr.arpa)", 0.47, 0.5%
222.68.180.42, "222.68.180.42", 0.47, 0.5%
64.104.252.130, "64.104.252.130 (130.252.104.64.in-addr.arpa)", 0.38, 0.4%
12.172.173.162, "12.172.173.162", 0.37, 0.4%
61.157.97.82, "61.157.97.82", 0.36, 0.4%
Other, N/A, 95.63, 93.3%


Host, Host Name, Bytes per subnet, Percent Total
202.97.142.10, "202.97.142.10", 3134.691497, 0.9%
200.43.187.12, "200.43.187.12 (12.187.43.200.in-addr.arpa)", 2866.861999, 
0.8%
164.77.213.115, "164.77.213.115", 1527.912477, 0.4%
211.200.44.236, "211.200.44.236", 1108.704083, 0.3%
91.85.225.241, "91.85.225.241", 1089.476026, 0.3%
91.124.88.250, "91.124.88.250 (250.88.124.91.in-addr.arpa)", 831.146747, 
0.2%
91.122.98.207, "91.122.98.207 (207.98.122.91.in-addr.arpa)", 806.492122, 
0.2%
90.189.184.122, "90.189.184.122 (122.184.189.90.in-addr.arpa)", 788.77383, 
0.2%
196.205.171.227, "196.205.171.227 (227.171.205.196.in-addr.arpa)", 
787.853182, 0.2%
91.140.151.24, "91.140.151.24", 777.004968, 0.2%
Other, N/A, 342432.344106, 96.1%



spread very broadly.

attacks over the past week:

by attack:
http://atlas-public.ec2.arbor.net/tmp/2008-06-30/attack/stacked/75b6e7d7e44894294f4d888ededa79d4.png

scans by country:
http://atlas-public.ec2.arbor.net/tmp/2008-06-30/scan/stacked/31cd6b5404f5f4d81373317fc83167b4.png



-------------------------------------------------------------
jose nazario, ph.d.     <jose at arbor.net>
security researcher, office of the CTO,  arbor networks
v: (734) 821 1427 	      http://asert.arbornetworks.com/

More information about the nsp-security mailing list