[nsp-sec] Flood of UDP port 22 packets / AS16265?
Scott A. McIntyre
scott at xs4all.net
Tue Aug 11 15:13:40 EDT 2009
Hi Matthew,
On Aug 11, 2009, at 20:41 , Matthew.Swaar at us-cert.gov wrote:
> ----------- nsp-security Confidential --------
>
>
> I'm seeing some strange traffic that began ~27 July and continues
> through to today. One IP address sending ~50M packets per hour to a
> single Dark IP that I can monitor. This could easily be spoofed,
> but if
> someone from AS16265 is on the list (or if anyone has a PoC and can
> forward) I would be interested to hear what's causing this.
>
> The victim IP is dark, my monitors show no packets being sent out, to
> the AS16265 host or otherwise.
>
> Sample of traffic (times are GMT):
>
> sIP|dIP|sPort|dPort|protocol|packets|bytes|flags|sTime|dur|eTime
> 85.17.165.16|137.187.66.241|34659|22|17|22727616|977287488|
> |2009/08/11T01:03:57.168|1800.000|2009/08/11T01:33:57.168
> 85.17.165.16|137.187.66.241|34659|22|17|25426560|1093342080|
Sure, I've got a history with folks there. Very very very dark grey
to black for a very long time, but every now and then they Do The
Right Thing. I'll reach out to my personal contact there and see what
we get...
Cheers,
Scott A. McIntyre
XS4ALL
More information about the nsp-security
mailing list