[nsp-sec] TCP-23 Increase
Smith, Donald
Donald.Smith at qwest.com
Mon Jun 30 15:17:54 EDT 2008
No increase here either.
Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Jose Nazario
> Sent: Monday, June 30, 2008 1:01 PM
> To: Matthew.Swaar at us-cert.gov
> Cc: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] TCP-23 Increase
>
> ----------- nsp-security Confidential --------
>
> On Mon, 30 Jun 2008, Matthew.Swaar at us-cert.gov wrote:
>
> > I'm working on comparing Ips across multiple days, see if it's a
> > relatively static handful doing this. The traffic appears
> to be mostly
> > 60bpp SYN scanning, with some SYN-RST thrown in.
>
> no increase here in ATLAS in the past week.
>
> top IPs:
>
> Host, Host Name, Attacks per subnet, Percent Total
> 67.135.29.143, "67.135.29.143 (143.29.135.67.in-addr.arpa)",
> 2.18, 2.1%
> 15.235.211.254, "15.235.211.254", 0.69, 0.7%
> 218.154.68.96, "218.154.68.96", 0.68, 0.7%
> 124.30.116.190, "124.30.116.190
> (190.116.30.124.in-addr.arpa)", 0.63, 0.6%
> 192.118.45.2, "192.118.45.2", 0.59, 0.6%
> 15.243.163.254, "15.243.163.254
> (254.163.243.15.in-addr.arpa)", 0.47, 0.5%
> 222.68.180.42, "222.68.180.42", 0.47, 0.5%
> 64.104.252.130, "64.104.252.130
> (130.252.104.64.in-addr.arpa)", 0.38, 0.4%
> 12.172.173.162, "12.172.173.162", 0.37, 0.4%
> 61.157.97.82, "61.157.97.82", 0.36, 0.4%
> Other, N/A, 95.63, 93.3%
>
>
> Host, Host Name, Bytes per subnet, Percent Total
> 202.97.142.10, "202.97.142.10", 3134.691497, 0.9%
> 200.43.187.12, "200.43.187.12 (12.187.43.200.in-addr.arpa)",
> 2866.861999,
> 0.8%
> 164.77.213.115, "164.77.213.115", 1527.912477, 0.4%
> 211.200.44.236, "211.200.44.236", 1108.704083, 0.3%
> 91.85.225.241, "91.85.225.241", 1089.476026, 0.3%
> 91.124.88.250, "91.124.88.250 (250.88.124.91.in-addr.arpa)",
> 831.146747,
> 0.2%
> 91.122.98.207, "91.122.98.207 (207.98.122.91.in-addr.arpa)",
> 806.492122,
> 0.2%
> 90.189.184.122, "90.189.184.122
> (122.184.189.90.in-addr.arpa)", 788.77383,
> 0.2%
> 196.205.171.227, "196.205.171.227 (227.171.205.196.in-addr.arpa)",
> 787.853182, 0.2%
> 91.140.151.24, "91.140.151.24", 777.004968, 0.2%
> Other, N/A, 342432.344106, 96.1%
>
>
>
> spread very broadly.
>
> attacks over the past week:
>
> by attack:
> http://atlas-public.ec2.arbor.net/tmp/2008-06-30/attack/stacke
> d/75b6e7d7e44894294f4d888ededa79d4.png
>
> scans by country:
> http://atlas-public.ec2.arbor.net/tmp/2008-06-30/scan/stacked/
> 31cd6b5404f5f4d81373317fc83167b4.png
>
>
>
> -------------------------------------------------------------
> jose nazario, ph.d. <jose at arbor.net>
> security researcher, office of the CTO, arbor networks
> v: (734) 821 1427 http://asert.arbornetworks.com/
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list