[nsp-sec] UDP 7100 Increase?
Gong, Yiming
yiming.gong at xo.com
Tue Mar 4 14:39:58 EST 2008
>From a non-technical side.
If most of the scans are from China, this MIGHT relate to a popular
online game in China called Legend (http://mir3.gtgame.com.cn/), which
uses udp port 7100.
The game is like a phenomenon in China and there is a huge underground
market behind it. Tons of people setup their own private game servers
using cracked or modified version to make money, and people sell stolen
user accounts on internet.
So one possibility is that some exploits were found and people are doing
scans in order to get profit.
Regards,
Yiming
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Smith, Donald
> Sent: Tuesday, March 04, 2008 12:46 PM
> To: Neil Long; NSP nsp-security
> Subject: Re: [nsp-sec] UDP 7100 Increase?
>
> ----------- nsp-security Confidential --------
>
> The 7100 <-> 7100 traffic is interesting.
>
> The vast majority of the packets are 104 in length however a
> fair number of them are 1144 long.
> Out of 215,121 total 7100 <-> 7100 records I see the following.
> bytes records
> 104 = 86,799 records
> 1144 = 38,912
> 208 = 5,739 (2 instances of 104)
> 2288 = 4,799 (2 instances of 1144)
> 312 = 1279 (3x104)
> 3432 = 989 (3x1144)
>
> RM=for(1)
> {manage_risk(identify_risk(product[i++]) &&
> (identify_threat[product[i++]))} Donald.Smith at qwest.com giac
>
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Neil Long
> > Sent: Tuesday, March 04, 2008 11:16 AM
> > To: NSP nsp-security
> > Subject: Re: [nsp-sec] UDP 7100 Increase?
> >
> > ----------- nsp-security Confidential --------
> >
> > Hi
> >
> > Very odd and slightly ominous increases. Darknets can grab udp data
> > segments of course via tcpdump.
> >
> > The darknet collectors saw a lot of this starting yetserday - all
> > 76byte data segments (but with a 32byte "string" e.g.
> > "FE893F2BD50B21AE6CE96F9AD1669564".
> >
> > Some have srcport=dstport but by no means all and some
> srcIP packets
> > have a fixed srcport while other sequences are incrementing srcport.
> >
> > There is almost a unique string per srcIP but looking more
> closely I
> > see the data change even though it is targeting the same /24.
> >
> > The change seems to be more closely related to the
> timestamp i.e. the
> > packets are going out in bursts which don't always cover
> the full /24
> >
> > Fairly weird but 32bytes seems way too small to be a payload?? P2p?
> >
> > regards
> > Neil
> >
> >
> >
> >
> > On 4 Mar 2008, at 17:45, <claude.labbe at bell.ca>
> <claude.labbe at bell.ca>
> > wrote:
> >
> > > ----------- nsp-security Confidential --------
> > >
> > >
> > >
> > >
> > > Hi,
> > >
> > > We are seeing 5 to 6 times the usual traffic since Feb
> 24th will try
> > > to get more details on this in the next couple of hours
> > >
> > > Regards
> > >
> > > -----Original Message-----
> > > From: nsp-security-bounces at puck.nether.net
> > > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> > > Matthew.Swaar at us-cert.gov
> > > Sent: March 3, 2008 10:12 PM
> > > To: nsp-security at puck.nether.net
> > > Subject: [nsp-sec] UDP 7100 Increase?
> > >
> > > ----------- nsp-security Confidential --------
> > >
> > >
> > > Anyone seeing a UDP-7100 traffic increase? If so, does
> anyone know
> > > what's causing it?
> > >
> > > My historical flowdata shows that traffic increased from ~4
> > flows per
> > > day to 1,072,861 on 3 March. What's troubling, is that I logged
> > > over 6k unique sources. I first thought that it might be a DDoS
> > > against one or more customers, but SANS port charts are
> showing some
> > recent volatile
> > > activity, too. (http://www.incidents.org/port.html?port=7100
> > > <http://www.incidents.org/port.html?port=7100> )
> > >
> > > Here's the breakout for the (inbound) flows I show for
> > March 3rd - 4th
> > > GMT:
> > >
> > > Date| Records| Bytes|
> > > Packets|
> > > 2008/03/03T00:00:00| 20.00| 3419.00|
> > > 20.00|
> > > 2008/03/03T01:00:00| 20.00| 3460.00|
> > > 21.00|
> > > 2008/03/03T02:00:00| 16.00| 2376.00|
> > > 16.00|
> > > 2008/03/03T03:00:00| 19.00| 3151.00|
> > > 19.00|
> > > 2008/03/03T04:00:00| 46794.00| 6641566.00|
> > > 63803.00|
> > > 2008/03/03T05:00:00| 43807.00| 6295043.00|
> > > 60467.00|
> > > 2008/03/03T06:00:00| 32.00| 4947.00|
> > > 37.00|
> > > 2008/03/03T07:00:00| 51664.00| 7380310.00|
> > > 70930.00|
> > > 2008/03/03T08:00:00| 96702.00| 13909022.00|
> > > 133478.00|
> > > 2008/03/03T09:00:00| 245.00| 36531.00|
> > > 342.00|
> > > 2008/03/03T10:00:00| 24.00| 3518.00|
> > > 24.00|
> > > 2008/03/03T11:00:00| 127143.00| 18289175.00|
> > > 175324.00|
> > > 2008/03/03T12:00:00| 28062.00| 4024740.00|
> > > 38661.00|
> > > 2008/03/03T13:00:00| 248105.00| 36357095.00|
> > > 347733.00|
> > > 2008/03/03T14:00:00| 341644.00| 50365557.00|
> > > 483065.00|
> > > 2008/03/03T15:00:00| 989.00| 147064.00|
> > > 1396.00|
> > > 2008/03/03T16:00:00| 41.00| 7851.00|
> > > 42.00|
> > > 2008/03/03T17:00:00| 112995.00| 16194471.00|
> > > 155000.00|
> > > 2008/03/03T18:00:00| 177.00| 24751.00|
> > > 221.00|
> > > 2008/03/03T19:00:00| 37.00| 7942.00|
> > > 39.00|
> > > 2008/03/03T20:00:00| 34.00| 5587.00|
> > > 34.00|
> > > 2008/03/03T21:00:00| 35.00| 6553.00|
> > > 37.00|
> > > 2008/03/03T22:00:00| 23.00| 3402.00|
> > > 23.00|
> > > 2008/03/03T23:00:00| 70267.00| 10319436.00|
> > > 99170.00|
> > > 2008/03/04T00:00:00| 22.00| 3212.00|
> > > 26.00|
> > > 2008/03/04T01:00:00| 25.00| 4340.00|
> > > 25.00|
> > > 2008/03/04T02:00:00| 15.00| 2272.00|
> > > 15.00|
> > > 2008/03/04T03:00:00| 1.00| 121.00|
> > > 1.00|
> > >
> > > The above certainly doesn't resemble the traffic patterns I've
> > > observed in the past during worm outbreaks. Looked at with a
> > > different bias, the above numbers originated from over 6k+ unique
> > > sources (possibly
> > > spoofed)
> > > and targeted over 500k unique destination IPs, so it doesn't look
> > > like a DDoS either.
> > >
> > > This port went from being invisible to being #14 on my top
> > 20, and I'm
> > > wondering 'why'.
> > >
> > > More details: The traffic seems to be UDP sport 7100 to
> dport 7100,
> > > 104 bytes per packet. (My flowdata includes the header
> size, which
> > > I think is 28 bytes, so you may see this as 76 bytes per packet.)
> > >
> > >
> > > Matt Swaar
> > > US-CERT Analyst
> > >
> > >
> > > _______________________________________________
> > > nsp-security mailing list
> > > nsp-security at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/nsp-security
> > >
> > > Please do not Forward, CC, or BCC this E-mail outside of the
> > > nsp-security community. Confidentiality is essential for
> effective
> > > Internet security counter-measures.
> > > _______________________________________________
> > >
> > >
> > > _______________________________________________
> > > nsp-security mailing list
> > > nsp-security at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/nsp-security
> > >
> > > Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> > > security community. Confidentiality is essential for effective
> > > Internet security counter-measures.
> > > _______________________________________________
> > >
> >
> > --
> > Neil Long, Team Cymru
> > http://www.cymru.com | +1 312 924 4022 | neil at cymru.com
> >
> >
> >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the
> > nsp-security community. Confidentiality is essential for effective
> > Internet security counter-measures.
> > _______________________________________________
> >
> >
>
>
> This communication is the property of Qwest and may contain
> confidential or privileged information. Unauthorized use of
> this communication is strictly prohibited and may be
> unlawful. If you have received this communication in error,
> please immediately notify the sender by reply e-mail and
> destroy all copies of the communication and any attachments.
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security community. Confidentiality is essential for
> effective Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list