[nsp-sec] UDP 7100 Increase?

White, Gerard Gerard.White at aliant.ca
Tue Mar 4 05:39:36 EST 2008 

Greetings.

I had 2 sweeps yesterday...

14:05 UTC w/ 1013 attempts
15:45 UTC w/ 1083 attempts

For the most part, all were using a source UDP Port of 7100, there were
a few smaller runs that used udp/59135  and udp/2362

Yes jtk, I realize the source IP & Port have a HIGH probability of being
spoofed, but, FWIW, Here's my top-10 as recorded from yesterday:

AS      | IP               | AS Name
4837    | 60.209.6.9       | CHINA169-BACKBONE CNCGROUP China169
Backbone
4837    | 60.209.127.5     | CHINA169-BACKBONE CNCGROUP China169
Backbone
4134    | 202.105.156.174  | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 219.131.108.149  | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 218.19.138.190   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.187.180.174   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 59.35.255.64     | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 58.48.93.207     | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 58.60.84.104     | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 116.30.204.33    | CHINANET-BACKBONE No.31,Jin-rong Street

AS      | IP               | Source Port   | Count
4837    | 60.209.6.9       | 7100          | 297
4837    | 60.209.127.5     | 7100          | 277
4134    | 202.105.156.174  | 59135         | 199
4134    | 219.131.108.149  | 7100          | 164
4134    | 218.19.138.190   | 2362          | 144
4134    | 61.187.180.174   | 0             | 144
4134    | 59.35.255.64     | 7100          | 141
4134    | 58.48.93.207     | 1030          | 130
4134    | 58.60.84.104     | 7100          | 124
4134    | 116.30.204.33    | 7100          | 111


GW
855 - Bell Aliant



-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
Matthew.Swaar at us-cert.gov
Sent: Monday, March 03, 2008 11:42 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] UDP 7100 Increase?

----------- nsp-security Confidential --------

 
Anyone seeing a UDP-7100 traffic increase?  If so, does anyone know
what's causing it?
 
My historical flowdata shows that traffic increased from ~4 flows per
day to 1,072,861 on 3 March.  What's troubling, is that I logged over 6k
unique sources.  I first thought that it might be a DDoS against one or
more customers, but SANS port charts are showing some recent volatile
activity, too.  (http://www.incidents.org/port.html?port=7100
<http://www.incidents.org/port.html?port=7100> )
 
Here's the breakout for the (inbound) flows I show for March 3rd - 4th
GMT:
 
               Date|          Records|                Bytes|
Packets|
2008/03/03T00:00:00|            20.00|              3419.00|
20.00|
2008/03/03T01:00:00|            20.00|              3460.00|
21.00|
2008/03/03T02:00:00|            16.00|              2376.00|
16.00|
2008/03/03T03:00:00|            19.00|              3151.00|
19.00|
2008/03/03T04:00:00|         46794.00|           6641566.00|
63803.00|
2008/03/03T05:00:00|         43807.00|           6295043.00|
60467.00|
2008/03/03T06:00:00|            32.00|              4947.00|
37.00|
2008/03/03T07:00:00|         51664.00|           7380310.00|
70930.00|
2008/03/03T08:00:00|         96702.00|          13909022.00|
133478.00|
2008/03/03T09:00:00|           245.00|             36531.00|
342.00|
2008/03/03T10:00:00|            24.00|              3518.00|
24.00|
2008/03/03T11:00:00|        127143.00|          18289175.00|
175324.00|
2008/03/03T12:00:00|         28062.00|           4024740.00|
38661.00|
2008/03/03T13:00:00|        248105.00|          36357095.00|
347733.00|
2008/03/03T14:00:00|        341644.00|          50365557.00|
483065.00|
2008/03/03T15:00:00|           989.00|            147064.00|
1396.00|
2008/03/03T16:00:00|            41.00|              7851.00|
42.00|
2008/03/03T17:00:00|        112995.00|          16194471.00|
155000.00|
2008/03/03T18:00:00|           177.00|             24751.00|
221.00|
2008/03/03T19:00:00|            37.00|              7942.00|
39.00|
2008/03/03T20:00:00|            34.00|              5587.00|
34.00|
2008/03/03T21:00:00|            35.00|              6553.00|
37.00|
2008/03/03T22:00:00|            23.00|              3402.00|
23.00|
2008/03/03T23:00:00|         70267.00|          10319436.00|
99170.00|
2008/03/04T00:00:00|            22.00|              3212.00|
26.00|
2008/03/04T01:00:00|            25.00|              4340.00|
25.00|
2008/03/04T02:00:00|            15.00|              2272.00|
15.00|
2008/03/04T03:00:00|             1.00|               121.00|
1.00|

The above certainly doesn't resemble the traffic patterns I've observed
in the past during worm outbreaks.  Looked at with a different bias, the
above numbers originated from over 6k+ unique sources (possibly spoofed)
and targeted over 500k unique destination IPs, so it doesn't look like a
DDoS either.
 
This port went from being invisible to being #14 on my top 20, and I'm
wondering 'why'.
 
More details:  The traffic seems to be UDP sport 7100 to dport 7100, 104
bytes per packet.  (My flowdata includes the header size, which I think
is 28 bytes, so you may see this as 76 bytes per packet.)
 
 
Matt Swaar
US-CERT Analyst


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

More information about the nsp-security mailing list