[nsp-sec] TCP-23 Increase

Mon Jun 30 17:10:38 EDT 2008

I see some number changes on our network, but not very significant, the 
following two list are the output from the scan log.

------------+------------+-------------+
| time       | unique_dst | target_port |
+------------+------------+-------------+
| 2008-06-10 |      34939 | 23          |
| 2008-06-11 |      50384 | 23          |
| 2008-06-12 |      22975 | 23          |
| 2008-06-13 |       2355 | 23          |
| 2008-06-14 |      27439 | 23          |
| 2008-06-15 |      48831 | 23          |
| 2008-06-16 |      35483 | 23          |
| 2008-06-17 |      20925 | 23          |
| 2008-06-18 |      52899 | 23          |
| 2008-06-19 |      34555 | 23          |
| 2008-06-20 |      26991 | 23          |
| 2008-06-21 |      32330 | 23          |
| 2008-06-22 |      36345 | 23          |
| 2008-06-23 |      45796 | 23          |
| 2008-06-24 |      52069 | 23          |
| 2008-06-25 |      50813 | 23          |
| 2008-06-26 |      40853 | 23          |
| 2008-06-27 |      61749 | 23          |
| 2008-06-28 |      93337 | 23          |
| 2008-06-29 |      67662 | 23          |
| 2008-06-30 |      24719 | 23          |
+------------+------------+-------------+

top active hosts started to scan port 23 after Jun 25 0:00.

| 90.41.97.37     | 2008-06-25 12:50 |
| 122.163.142.194 | 2008-06-25 18:15 |
| 196.205.211.200 | 2008-06-25 18:15 |
| 122.163.179.245 | 2008-06-25 18:15 |
| 196.205.210.157 | 2008-06-25 18:25 |
| 212.230.52.44   | 2008-06-26 00:20 |
| 189.47.251.60   | 2008-06-26 11:15 |
| 201.0.97.43     | 2008-06-26 11:15 |
| 64.82.227.135   | 2008-06-26 14:45 |
| 196.205.166.178 | 2008-06-26 21:25 |
| 82.59.140.108   | 2008-06-27 06:05 |
| 79.155.174.252  | 2008-06-27 09:00 |
| 211.31.162.142  | 2008-06-27 11:50 |
| 81.178.101.103  | 2008-06-27 12:50 |
| 66.226.63.193   | 2008-06-27 13:50 |
| 201.68.240.12   | 2008-06-27 17:45 |
| 68.166.126.62   | 2008-06-27 19:10 |
| 80.13.23.204    | 2008-06-27 21:00 |
| 196.219.138.29  | 2008-06-28 01:40 |
| 41.235.188.193  | 2008-06-28 01:40 |
| 92.49.156.149   | 2008-06-28 01:40 |
| 87.117.11.206   | 2008-06-28 01:40 |
| 84.18.97.151    | 2008-06-28 01:40 |
| 81.89.62.49     | 2008-06-28 06:30 |
| 79.77.125.149   | 2008-06-28 14:05 |
| 213.129.114.89  | 2008-06-28 17:15 |
| 194.46.235.9    | 2008-06-29 02:05 |
| 88.24.38.126    | 2008-06-29 05:00 |
| 80.251.115.12   | 2008-06-29 10:10 |
| 67.42.190.206   | 2008-06-29 10:40 |
| 82.201.181.60   | 2008-06-29 12:50 |
| 83.8.123.113    | 2008-06-29 21:00 |
| 84.79.16.81     | 2008-06-30 06:55 |
| 84.78.187.93    | 2008-06-30 07:50 |
| 78.101.197.150  | 2008-06-30 10:35 |
+-----------------+------------------+

Regards!

Yiming

Jason Chambers wrote:
> ----------- nsp-security Confidential --------
>
> Matthew.Swaar at us-cert.gov wrote:
>> I'm working on comparing Ips across multiple days, see if it's a
>> relatively static handful doing this.  The traffic appears to be mostly
>> 60bpp SYN scanning, with some SYN-RST thrown in.
>>
>> Anyone have a theory about what prompted this?
>>
>>   
>
> Similar observation from here; an increase started on the 25th.  
> 212.106.54.173 was the only host found on more than day exceeding 20k 
> destinations.
>
> No idea on the reason.  Maybe we should make friends with the PNL 
> folks or figure out how to build a shared "NUANCE" [1].  I saw it at 
> last year's VizSec but haven't gotten anywhere close to replicating it.
>
> --Jason
>
>
> Unique destinations per day:
>
>        date         | dst_port | dst_host_count
> ---------------------+----------+----------------
> 2008-06-29 00:00:00 |       23 |          99663
> 2008-06-28 00:00:00 |       23 |         106823
> 2008-06-27 00:00:00 |       23 |          96185
> 2008-06-26 00:00:00 |       23 |          58626
> 2008-06-25 00:00:00 |       23 |         104375
> 2008-06-24 00:00:00 |       23 |          13476
> 2008-06-22 00:00:00 |       23 |          12021
> 2008-06-20 00:00:00 |       23 |          13864
> 2008-06-19 00:00:00 |       23 |          11178
> 2008-06-18 00:00:00 |       23 |          53817
>
>
>
>
> [1] http://www.vizsec.org/workshop2007/presentations/pike-context.pdf
>
> Bill Pike, Chad Scherrer and Sean Zabriskie.
> Putting Security in Context: Visual Correlation of Network Activity 
> with Real-World Information *
>
> Abstract: To effectively identify and respond to cyber threats, 
> computer security analysts must understand the scale, motivation, 
> methods, source, and target of an attack.  Central to developing this 
> situational awareness is the analyst's world knowledge that puts these 
> attributes in context.  What known exploits or new vulnerabilities 
> might an anomalous traffic pattern suggest?  What organizational, 
> social, or geopolitical events help forecast or explain attacks and 
> anomalies?  Few visualization tools support creating, maintaining, and 
> applying this knowledge of the threat landscape.  Through a series of 
> formative workshops with practicing security analysts, we have 
> developed a visualization approach inspired by the human process of 
> contextualization; this system, called NUANCE, creates evolving 
> behavioral models of network actors at organizational and regional 
> levels, continuously monitors external textual information sources for 
> themes that indicate security threats, and automatically determines if 
> behavior indicative of those threats is present on a network.
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet 
> security counter-measures.
> _______________________________________________