[nsp-sec] Flood of UDP port 22 packets / AS16265?
Matthew.Swaar at us-cert.gov
Matthew.Swaar at us-cert.gov
Tue Aug 11 15:19:54 EDT 2009
Heyo, Scott & Thanks!
Very Respectfully,
US-CERT Ops Center
703-235-5111
POC: Matt Swaar - Analyst
-----Original Message-----
From: Scott A. McIntyre [mailto:scott at xs4all.net]
Sent: Tuesday, August 11, 2009 2:14 PM
To: Swaar, Matthew
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] Flood of UDP port 22 packets / AS16265?
Hi Matthew,
On Aug 11, 2009, at 20:41 , Matthew.Swaar at us-cert.gov wrote:
> ----------- nsp-security Confidential --------
>
>
> I'm seeing some strange traffic that began ~27 July and continues
> through to today. One IP address sending ~50M packets per hour to a
> single Dark IP that I can monitor. This could easily be spoofed, but
> if someone from AS16265 is on the list (or if anyone has a PoC and can
> forward) I would be interested to hear what's causing this.
>
> The victim IP is dark, my monitors show no packets being sent out, to
> the AS16265 host or otherwise.
>
> Sample of traffic (times are GMT):
>
> sIP|dIP|sPort|dPort|protocol|packets|bytes|flags|sTime|dur|eTime
> 85.17.165.16|137.187.66.241|34659|22|17|22727616|977287488|
> |2009/08/11T01:03:57.168|1800.000|2009/08/11T01:33:57.168
> 85.17.165.16|137.187.66.241|34659|22|17|25426560|1093342080|
Sure, I've got a history with folks there. Very very very dark grey to
black for a very long time, but every now and then they Do The Right
Thing. I'll reach out to my personal contact there and see what we
get...
Cheers,
Scott A. McIntyre
XS4ALL
More information about the nsp-security
mailing list