[nsp-sec] TCP-23 Increase

Marc Kneppers Marc.Kneppers at TELUS.COM
Mon Jun 30 15:22:53 EDT 2008 

Hey Matt

Just an FYI, we have not seen any identifiable increase, IMO. Attached is the graph for our AS for the last 4 weeks. There is a bit of an increase during that time period but it correlates with outbound traffic as well so it's not clear that this is a targetted scan. As you can see, the data is too
spotty for me to identify a trend.

-
MArc
TELUS
AS852 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Matthew.Swaar at us-cert.gov
> Sent: Monday, June 30, 2008 11:53 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] TCP-23 Increase
> 
> ----------- nsp-security Confidential --------
> 
> 
> Since ~1700 on 25 June the amount of TCP-23 (Telnet) scanning on our
> inbound interfaces has increased significantly:
> 
> 
>                Date|          Records|                Bytes|
> Packets|
> 2008/06/24T00:00:00|       1064814.03|         163792334.33|
> 3058135.58|
> 2008/06/25T00:00:00|       9967115.49|         690683790.61|
> 11870293.71| (increase begins ~1700GMT)
> 2008/06/26T00:00:00|      12572983.34|         859897554.33|
> 14698986.43|
> 2008/06/27T00:00:00|      16471860.29|        1141522841.49|
> 19386825.67|
> 2008/06/28T00:00:00|      12806202.84|         885557115.53|
> 15117566.40|
> 2008/06/29T00:00:00|      14205931.86|         966273992.43|
> 16498154.88|
> 2008/06/30T00:00:00|       8261322.00|         578007237.00|
> 9839865.00| (Partial, only 16/24 hours)
> 
> 
> Doesn't appear to be interest in just us, either:
> http://www.incidents.org/port.html?port=23
> 
> 
> I'm working on comparing Ips across multiple days, see if it's a
> relatively static handful doing this.  The traffic appears to 
> be mostly
> 60bpp SYN scanning, with some SYN-RST thrown in.
> 
> Anyone have a theory about what prompted this?
> 
> V/R,
> Matt Swaar
> US-CERT Analyst
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: AS852-port23-4weeks.png
Type: image/png
Size: 4899 bytes
Desc: AS852-port23-4weeks.png
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080630/2ed8ebad/attachment-0001.png>

More information about the nsp-security mailing list