[nsp-sec] TCP-23 Increase

Rob Thomas robt at cymru.com
Mon Jun 30 22:15:55 EDT 2008 

Hi, Matt.

Our Darknets saw a similar spike:

   Hits  Date UTC
    4938 2008-06-24
   16948 2008-06-25
   26113 2008-06-26
   25852 2008-06-27
   17767 2008-06-28
   20376 2008-06-29
     520 2008-06-30

Ah, but that's not the first such spike.  Check out all of 2008-06 UTC:

   Hits  Date UTC
    9109 2008-06-01
    6982 2008-06-02
    7672 2008-06-03
    4781 2008-06-04
    2973 2008-06-05
    8121 2008-06-06
   12374 2008-06-07
   10367 2008-06-08
   11046 2008-06-09
   13062 2008-06-10
    8085 2008-06-11
    5877 2008-06-12
   11088 2008-06-13
   17813 2008-06-14
    9138 2008-06-15
   11817 2008-06-16
   10955 2008-06-17
   17767 2008-06-18
    7591 2008-06-19
   15683 2008-06-20
    8349 2008-06-21
    5453 2008-06-22
    6879 2008-06-23
    4938 2008-06-24
   16948 2008-06-25
   26113 2008-06-26
   25852 2008-06-27
   17767 2008-06-28
   20376 2008-06-29
     520 2008-06-30

The previous month was quite a bit more quiet for TCP 23.

   Hits  Date UTC
    2135 2008-05-01
    2261 2008-05-02
    1695 2008-05-03
    1732 2008-05-04
    1218 2008-05-05
    4141 2008-05-06
    3970 2008-05-07
    3832 2008-05-08
    4313 2008-05-09
    2255 2008-05-10
    2384 2008-05-11
    5450 2008-05-12
    8733 2008-05-13
    6726 2008-05-14
   11544 2008-05-15
    9625 2008-05-16
    9888 2008-05-17
    9217 2008-05-18
    9269 2008-05-19
    8536 2008-05-20
    7328 2008-05-21
    9881 2008-05-22
    9755 2008-05-23
    8919 2008-05-24
   10233 2008-05-25
    9574 2008-05-26
    8558 2008-05-27
   11569 2008-05-28
    6637 2008-05-29
    8956 2008-05-30
    8580 2008-05-31

So yeah, biggest spike starts on 2008-06-26 UTC, etc., but there were a 
few such spikes earlier in the month.

Here are the top ten hitters for 2008-06 UTC.  The seventh column is the 
number of TCP 23 probes we saw.

4782    | 117.56.37.9      | 117.56.0.0/16       | TW | apnic    | 
2007-06-28 | 6027            | GSNET Data Communication Business Group
4837    | 202.97.142.10    | 202.97.128.0/19     | CN | apnic    | 
1998-08-17 | 4751            | CHINA169-BACKBONE CNCGROUP China169 Backbone
6320    | 86.53.62.33      | 86.53.0.0/16        | GB | ripencc  | 
2005-05-10 | 1126            | TELECOMPLETE-AS Telecomplete Ltd, UK
6471    | 164.77.213.115   | 164.77.128.0/17     | CL | lacnic   | 
1992-12-23 | 1084            | ENTEL CHILE S.A.
9848    | 211.239.151.162  | 211.239.150.0/23    | KR | apnic    | 
2000-09-08 | 1295            | GNGAS Enterprise Networks
13037   | 82.71.72.110     | 82.68.0.0/14        | GB | ripencc  | 
2003-04-28 | 1085            | ZEN-AS Zen Internet
17964   | 124.207.41.198   | 124.207.0.0/18      | CN | apnic    | 
2006-03-31 | 1264            | DXTNET Beijing Dian-Xin-Tong Network 
Technologies Co., Ltd.
24138   | 222.35.136.31    | 222.35.136.0/21     | CN | apnic    | 
2003-09-02 | 4970            | CRNET_BJ_IDC-CNNIC-AP China Tietong 
Telecommunication Corporation
25346   | 82.133.108.218   | 82.133.0.0/17       | GB | ripencc  | 
2003-08-27 | 975             | PIPEX-AS PIPEX Internet
31400   | 84.200.32.205    | 84.200.0.0/16       | DE | ripencc  | 
2004-04-28 | 1069            | ACCELERATED-IT Accelerated IT Services GmbH

These hosts like to be naughty in many ways.  They've done the usual 
Windows port scanning, three have been on IRC botnets, one ran a 
phishing site, and the others have visited TCP 22 in their travels.

Thanks,
Rob.


Matthew.Swaar at us-cert.gov wrote:
> ----------- nsp-security Confidential --------
> 
> 
> Since ~1700 on 25 June the amount of TCP-23 (Telnet) scanning on our
> inbound interfaces has increased significantly:
> 
> 
>                Date|          Records|                Bytes|
> Packets|
> 2008/06/24T00:00:00|       1064814.03|         163792334.33|
> 3058135.58|
> 2008/06/25T00:00:00|       9967115.49|         690683790.61|
> 11870293.71| (increase begins ~1700GMT)
> 2008/06/26T00:00:00|      12572983.34|         859897554.33|
> 14698986.43|
> 2008/06/27T00:00:00|      16471860.29|        1141522841.49|
> 19386825.67|
> 2008/06/28T00:00:00|      12806202.84|         885557115.53|
> 15117566.40|
> 2008/06/29T00:00:00|      14205931.86|         966273992.43|
> 16498154.88|
> 2008/06/30T00:00:00|       8261322.00|         578007237.00|
> 9839865.00| (Partial, only 16/24 hours)
> 
> 
> Doesn't appear to be interest in just us, either:
> http://www.incidents.org/port.html?port=23
> 
> 
> I'm working on comparing Ips across multiple days, see if it's a
> relatively static handful doing this.  The traffic appears to be mostly
> 60bpp SYN scanning, with some SYN-RST thrown in.
> 
> Anyone have a theory about what prompted this?
> 
> V/R,
> Matt Swaar
> US-CERT Analyst
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

-- 
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/

More information about the nsp-security mailing list