[nsp-sec] Paging Verizon Transit AS19262 - box in boston going ape*
jose nazario
jose at arbor.net
Fri Feb 6 10:28:11 EST 2009
Big spike this morning in ATLAS from a single host:
71.243.113.231 (static-71-243-113-231.bos.east.verizon.net)
Starting at about 0800 US eastern it looks like this box decided to go
ballistic on the internet. Scans only for TCP 5903 and 5905, no exploit
attempts recorded (but our sensors are not listening on these ports so we
may be missing something).
Scans by port:
http://atlas-public.ec2.arbor.net/tmp/2009-02-06/scan/stacked/a2ac28ddf2b24f
31942b51480270fd3f.png
Top two ports (dark and light blue, respectively):
Service Bytes per subnet Percentage
TCP/5903 8.79 kB 27.3%
TCP/5905 8.59 kB 26.7%
Origin is this one host by a long shot:
Host, Host Name, Bytes per subnet, Percent Total
71.243.113.231, "71.243.113.231
(static-71-243-113-231.bos.east.verizon.net)", 17384.563914, 54.1%
71.126.108.184, "71.126.108.184
(pool-71-126-108-184.phlapa.east.verizon.net)", 4628.685987, 14.4%
Any insights appreciated. The huge and sudden uptick caught our attention.
Thanks.
- jose
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
Arbor Networks www.arbornetworks.com
v: (734) 821 1427
PGP: 0x40A7BF94
-------------------------------------------------------------
More information about the nsp-security
mailing list