[nsp-sec] TCP-23 Increase
Daniel, Sandie M CTR JTF-GNO J3
Sandie.Daniel.ctr at jtfgno.mil
Mon Jun 30 16:16:15 EDT 2008
I'm seeing a spike but it's not from TCP traffic.
I see a spike is destination port 23 protocol 50 and it's from one IP in
particular and from a very few number of netflows:
Date| Records| Bytes| Packets|
2008/06/23T00:00:00| 27.00| 2486317.00| 16370.00|
2008/06/24T00:00:00| 15.00| 1704.00| 17.00|
2008/06/25T00:00:00| 19.00| 1428.00| 19.00|
2008/06/26T00:00:00| 15.00| 2780.00| 15.00|
2008/06/27T00:00:00| 9.00| 2144.00| 9.00|
2008/06/28T00:00:00| 22.00| 87527713.00| 466138.00|
2008/06/29T00:00:00| 57.00| 230501951.00| 1262585.00|
2008/06/30T00:00:00| 11.00| 812.00| 11.00|
INPUT SIZE: 175 records for 31 unique keys
SOURCE IP Key: Top 10 byte counts
sIP| Bytes|%_of_total| cumul_%|
164.214.2.41| 318025852| 99.220342| 99.220342|
75.31.26.69| 2042629| 0.637276| 99.857619|
213.229.143.210| 442944| 0.138193| 99.995812|
70.168.108.26| 2976| 0.000928| 99.996740|
199.67.7.101| 1584| 0.000494| 99.997235|
65.161.67.2| 1488| 0.000464| 99.997699|
217.55.4.66| 1440| 0.000449| 99.998148|
206.112.75.197| 824| 0.000257| 99.998405|
130.76.44.14| 672| 0.000210| 99.998615|
199.0.152.85| 564| 0.000176| 99.998791|
INPUT SIZE: 175 records for 31 unique keys
SOURCE IP Key: Top 10 flow counts
sIP| Records|%_of_total| cumul_%|
164.214.2.41| 49| 28.000000| 28.000000|
199.67.7.101| 22| 12.571429| 40.571429|
217.55.4.66| 18| 10.285714| 50.857143|
75.31.26.69| 17| 9.714286| 60.571429|
206.112.75.197| 11| 6.285714| 66.857143|
130.76.44.14| 8| 4.571429| 71.428571|
212.72.24.129| 6| 3.428571| 74.857143|
130.76.118.12| 4| 2.285714| 77.142857|
208.12.120.127| 4| 2.285714| 79.428571|
12.39.208.3| 4| 2.285714| 81.714286|
Sandie Daniel (Confluent Logic)
Joint Task Force Global Network Operations
J34 Analytical Support and Coordination Branch
Tier 3 Analysis Support Team
Comm: 703-601-6530 DSN: 329-6530
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
Matthew.Swaar at us-cert.gov
Sent: Monday, June 30, 2008 1:53 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] TCP-23 Increase
----------- nsp-security Confidential --------
Since ~1700 on 25 June the amount of TCP-23 (Telnet) scanning on our inbound
interfaces has increased significantly:
Date| Records| Bytes|
Packets|
2008/06/24T00:00:00| 1064814.03| 163792334.33|
3058135.58|
2008/06/25T00:00:00| 9967115.49| 690683790.61|
11870293.71| (increase begins ~1700GMT)
2008/06/26T00:00:00| 12572983.34| 859897554.33|
14698986.43|
2008/06/27T00:00:00| 16471860.29| 1141522841.49|
19386825.67|
2008/06/28T00:00:00| 12806202.84| 885557115.53|
15117566.40|
2008/06/29T00:00:00| 14205931.86| 966273992.43|
16498154.88|
2008/06/30T00:00:00| 8261322.00| 578007237.00|
9839865.00| (Partial, only 16/24 hours)
Doesn't appear to be interest in just us, either:
http://www.incidents.org/port.html?port=23
I'm working on comparing Ips across multiple days, see if it's a relatively
static handful doing this. The traffic appears to be mostly 60bpp SYN
scanning, with some SYN-RST thrown in.
Anyone have a theory about what prompted this?
V/R,
Matt Swaar
US-CERT Analyst
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4952 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080630/e11aa4a5/attachment-0001.bin>
More information about the nsp-security
mailing list