[nsp-sec] Flood of UDP port 22 packets / AS16265?
Matthew.Swaar at us-cert.gov
Matthew.Swaar at us-cert.gov
Tue Aug 11 14:41:28 EDT 2009
I'm seeing some strange traffic that began ~27 July and continues
through to today. One IP address sending ~50M packets per hour to a
single Dark IP that I can monitor. This could easily be spoofed, but if
someone from AS16265 is on the list (or if anyone has a PoC and can
forward) I would be interested to hear what's causing this.
The victim IP is dark, my monitors show no packets being sent out, to
the AS16265 host or otherwise.
Sample of traffic (times are GMT):
sIP|dIP|sPort|dPort|protocol|packets|bytes|flags|sTime|dur|eTime
85.17.165.16|137.187.66.241|34659|22|17|22727616|977287488|
|2009/08/11T01:03:57.168|1800.000|2009/08/11T01:33:57.168
85.17.165.16|137.187.66.241|34659|22|17|25426560|1093342080|
|2009/08/11T01:33:57.169|1800.000|2009/08/11T02:03:57.169
85.17.165.16|137.187.66.241|34659|22|17|25453696|1094508928|
|2009/08/11T02:03:57.170|1800.000|2009/08/11T02:33:57.170
85.17.165.16|137.187.66.241|34659|22|17|25859072|1111940096|
|2009/08/11T02:33:57.171|1800.000|2009/08/11T03:03:57.171
85.17.165.16|137.187.66.241|34659|22|17|25989376|1117543168|
|2009/08/11T03:03:57.172|1800.000|2009/08/11T03:33:57.172
85.17.165.16|137.187.66.241|34659|22|17|26413760|1135791680|
|2009/08/11T03:33:57.173|1800.000|2009/08/11T04:03:57.173
85.17.165.16|137.187.66.241|34659|22|17|26252160|1128842880|
|2009/08/11T04:03:57.174|1800.000|2009/08/11T04:33:57.174
85.17.165.16|137.187.66.241|34659|22|17|26480640|1138667520|
|2009/08/11T04:33:57.175|1800.000|2009/08/11T05:03:57.175
85.17.165.16|137.187.66.241|34659|22|17|26382336|1134440448|
|2009/08/11T05:03:57.176|1800.000|2009/08/11T05:33:57.176
85.17.165.16|137.187.66.241|34659|22|17|26301248|1130953664|
|2009/08/11T05:33:57.177|1800.000|2009/08/11T06:03:57.177
85.17.165.16|137.187.66.241|34659|22|17|26260096|1129184128|
|2009/08/11T06:03:57.178|1800.000|2009/08/11T06:33:57.178
85.17.165.16|137.187.66.241|34659|22|17|26299328|1130871104|
|2009/08/11T06:33:57.179|1800.000|2009/08/11T07:03:57.179
85.17.165.16|137.187.66.241|34659|22|17|25720384|1105976512|
|2009/08/11T07:03:57.180|1800.000|2009/08/11T07:33:57.180
85.17.165.16|137.187.66.241|34659|22|17|25528000|1097704000|
|2009/08/11T07:33:57.181|1800.000|2009/08/11T08:03:57.181
85.17.165.16|137.187.66.241|34659|22|17|25539776|1098210368|
|2009/08/11T08:03:57.182|1800.000|2009/08/11T08:33:57.182
85.17.165.16|137.187.66.241|34659|22|17|25180864|1082777152|
|2009/08/11T08:33:57.183|1800.000|2009/08/11T09:03:57.183
85.17.165.16|137.187.66.241|34659|22|17|24921984|1071645312|
|2009/08/11T09:03:57.184|1800.000|2009/08/11T09:33:57.184
85.17.165.16|137.187.66.241|34659|22|17|25151872|1081530496|
|2009/08/11T09:33:57.185|1800.000|2009/08/11T10:03:57.185
85.17.165.16|137.187.66.241|34659|22|17|24928768|1071937024|
|2009/08/11T10:03:57.186|1800.000|2009/08/11T10:33:57.186
85.17.165.16|137.187.66.241|34659|22|17|24878912|1069793216|
|2009/08/11T10:33:57.187|1800.000|2009/08/11T11:03:57.187
85.17.165.16|137.187.66.241|34659|22|17|24771008|1065153344|
|2009/08/11T11:03:57.188|1800.000|2009/08/11T11:33:57.188
85.17.165.16|137.187.66.241|34659|22|17|24764416|1064869888|
|2009/08/11T11:33:57.189|1800.000|2009/08/11T12:03:57.189
85.17.165.16|137.187.66.241|34659|22|17|24269056|1043569408|
|2009/08/11T12:03:57.190|1800.000|2009/08/11T12:33:57.190
85.17.165.16|137.187.66.241|34659|22|17|23982208|1031234944|
|2009/08/11T12:33:57.191|1800.000|2009/08/11T13:03:57.191
85.17.165.16|137.187.66.241|34659|22|17|24500992|1053542656|
|2009/08/11T13:03:57.192|1800.000|2009/08/11T13:33:57.192
85.17.165.16|137.187.66.241|34659|22|17|24425664|1050303552|
|2009/08/11T13:33:57.193|1799.999|2009/08/11T14:03:57.192
85.17.165.16|137.187.66.241|34659|22|17|24034688|1033491584|
|2009/08/11T14:03:57.194|1800.000|2009/08/11T14:33:57.194
85.17.165.16|137.187.66.241|34659|22|17|23735680|1020634240|
|2009/08/11T14:33:57.195|1800.000|2009/08/11T15:03:57.195
85.17.165.16|137.187.66.241|34659|22|17|24080832|1035475776|
|2009/08/11T15:03:57.196|1800.000|2009/08/11T15:33:57.196
85.17.165.16|137.187.66.241|34659|22|17|24514048|1054104064|
|2009/08/11T15:33:57.197|1800.000|2009/08/11T16:03:57.197
85.17.165.16|137.187.66.241|34659|22|17|24255168|1042972224|
|2009/08/11T16:03:57.198|1800.000|2009/08/11T16:33:57.198
85.17.165.16|137.187.66.241|34659|22|17|24618624|1058600832|
|2009/08/11T16:33:57.199|1800.000|2009/08/11T17:03:57.199
85.17.165.16|137.187.66.241|34659|22|17|24709632|1062514176|
|2009/08/11T17:03:57.200|1800.000|2009/08/11T17:33:57.200
85.17.165.16|137.187.66.241|34659|22|17|24873728|1069570304|
|2009/08/11T17:33:57.201|1800.000|2009/08/11T18:03:57.201
Very Respectfully,
US-CERT Ops Center
703-235-5111
POC: Matt Swaar - Analyst
More information about the nsp-security
mailing list