[nsp-sec] UDP 7100 Increase?

Neil Long neil.long at cymru.com
Tue Mar 4 13:16:22 EST 2008 

Hi

Very odd and slightly ominous increases. Darknets can grab udp data  
segments of course via tcpdump.

The darknet collectors saw a lot of this starting yetserday -  all  
76byte data segments (but with a 32byte "string" e.g.  
"FE893F2BD50B21AE6CE96F9AD1669564".

Some have srcport=dstport but by no means all and some srcIP packets  
have a fixed srcport while other sequences are incrementing srcport.

There is almost a unique string per srcIP but looking more closely I  
see the data change even though it is targeting the same /24.

The change seems to be more closely related to the timestamp i.e. the  
packets are going out in bursts which don't always cover the full /24

Fairly weird but 32bytes seems way too small to be a payload?? P2p?

regards
Neil




On 4 Mar 2008, at 17:45, <claude.labbe at bell.ca>  
<claude.labbe at bell.ca> wrote:

> ----------- nsp-security Confidential --------
>
>
>
>
>   Hi,
>
> We are seeing 5 to 6 times the usual traffic since Feb 24th
> will try to get more details on this in the next couple of hours
>
> Regards
>
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Matthew.Swaar at us-cert.gov
> Sent: March 3, 2008 10:12 PM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] UDP 7100 Increase?
>
> ----------- nsp-security Confidential --------
>
>
> Anyone seeing a UDP-7100 traffic increase?  If so, does anyone know
> what's causing it?
>
> My historical flowdata shows that traffic increased from ~4 flows per
> day to 1,072,861 on 3 March.  What's troubling, is that I logged  
> over 6k
> unique sources.  I first thought that it might be a DDoS against  
> one or
> more customers, but SANS port charts are showing some recent volatile
> activity, too.  (http://www.incidents.org/port.html?port=7100
> <http://www.incidents.org/port.html?port=7100> )
>
> Here's the breakout for the (inbound) flows I show for March 3rd - 4th
> GMT:
>
>                Date|          Records|                Bytes|
> Packets|
> 2008/03/03T00:00:00|            20.00|              3419.00|
> 20.00|
> 2008/03/03T01:00:00|            20.00|              3460.00|
> 21.00|
> 2008/03/03T02:00:00|            16.00|              2376.00|
> 16.00|
> 2008/03/03T03:00:00|            19.00|              3151.00|
> 19.00|
> 2008/03/03T04:00:00|         46794.00|           6641566.00|
> 63803.00|
> 2008/03/03T05:00:00|         43807.00|           6295043.00|
> 60467.00|
> 2008/03/03T06:00:00|            32.00|              4947.00|
> 37.00|
> 2008/03/03T07:00:00|         51664.00|           7380310.00|
> 70930.00|
> 2008/03/03T08:00:00|         96702.00|          13909022.00|
> 133478.00|
> 2008/03/03T09:00:00|           245.00|             36531.00|
> 342.00|
> 2008/03/03T10:00:00|            24.00|              3518.00|
> 24.00|
> 2008/03/03T11:00:00|        127143.00|          18289175.00|
> 175324.00|
> 2008/03/03T12:00:00|         28062.00|           4024740.00|
> 38661.00|
> 2008/03/03T13:00:00|        248105.00|          36357095.00|
> 347733.00|
> 2008/03/03T14:00:00|        341644.00|          50365557.00|
> 483065.00|
> 2008/03/03T15:00:00|           989.00|            147064.00|
> 1396.00|
> 2008/03/03T16:00:00|            41.00|              7851.00|
> 42.00|
> 2008/03/03T17:00:00|        112995.00|          16194471.00|
> 155000.00|
> 2008/03/03T18:00:00|           177.00|             24751.00|
> 221.00|
> 2008/03/03T19:00:00|            37.00|              7942.00|
> 39.00|
> 2008/03/03T20:00:00|            34.00|              5587.00|
> 34.00|
> 2008/03/03T21:00:00|            35.00|              6553.00|
> 37.00|
> 2008/03/03T22:00:00|            23.00|              3402.00|
> 23.00|
> 2008/03/03T23:00:00|         70267.00|          10319436.00|
> 99170.00|
> 2008/03/04T00:00:00|            22.00|              3212.00|
> 26.00|
> 2008/03/04T01:00:00|            25.00|              4340.00|
> 25.00|
> 2008/03/04T02:00:00|            15.00|              2272.00|
> 15.00|
> 2008/03/04T03:00:00|             1.00|               121.00|
> 1.00|
>
> The above certainly doesn't resemble the traffic patterns I've  
> observed
> in the past during worm outbreaks.  Looked at with a different  
> bias, the
> above numbers originated from over 6k+ unique sources (possibly  
> spoofed)
> and targeted over 500k unique destination IPs, so it doesn't look  
> like a
> DDoS either.
>
> This port went from being invisible to being #14 on my top 20, and I'm
> wondering 'why'.
>
> More details:  The traffic seems to be UDP sport 7100 to dport  
> 7100, 104
> bytes per packet.  (My flowdata includes the header size, which I  
> think
> is 28 bytes, so you may see this as 76 bytes per packet.)
>
>
> Matt Swaar
> US-CERT Analyst
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective Internet  
> security
> counter-measures.
> _______________________________________________
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp- 
> security
> community. Confidentiality is essential for effective Internet  
> security counter-measures.
> _______________________________________________
>

--
Neil Long, Team Cymru
http://www.cymru.com | +1 312 924 4022 | neil at cymru.com

More information about the nsp-security mailing list