[nsp-sec] Strong Increase in port 1433/tcp

Yiming Gong yiming.gong at xo.com
Mon Mar 2 12:45:54 EST 2009 

I saw similar data from my in house darknet, which used to get only
around 40 uniq src ips on port 1433 scan every day. On 03-01 that number
changed to around 5k and it looks like today the number will be even bigger.

The following is a hourly statistic of scan traffic dst to port 1433,
you can see the number of uniq-src-ip started to increase since
2009-03-01 11:00 (central time)

port 1433 record
Time		uniq-src-ip
2009-03-02 11   142
2009-03-02 10   453
2009-03-02 09   452
2009-03-02 08   423
2009-03-02 07   446
2009-03-02 06   442
2009-03-02 05   466
2009-03-02 04   452
2009-03-02 03   418
2009-03-02 02   476
2009-03-02 01   409
2009-03-02 00   401
2009-03-01 23   403
2009-03-01 22   406
2009-03-01 21   382
2009-03-01 20   385
2009-03-01 19   345
2009-03-01 18   354
2009-03-01 17   352
2009-03-01 16   380
2009-03-01 15   413
2009-03-01 14   447
2009-03-01 13   306
2009-03-01 12   201
2009-03-01 11   56
2009-03-01 10   7
2009-03-01 09   7
2009-03-01 08   4
2009-03-01 07   11
2009-03-01 06   7
2009-03-01 05   4
2009-03-01 04   6
2009-03-01 03   4
2009-03-01 02   4
2009-03-01 01   8
2009-03-01 00   7
2009-02-28 18   1
2009-02-28 17   7
2009-02-28 16   7
2009-02-28 15   6
2009-02-28 14   7
2009-02-28 13   5
2009-02-28 12   6
2009-02-28 11   2

and below is a top10 ASN on my network.

port 1433
ASN  uniq-src-ip
1227 17557
1002 17813
 511 8452
 465 23966
 417 7552
 365 9443
 325 17762
 319 4788
 263 24863
 199 9556

Regards!

Yiming


Klaus Moeller wrote:
> ----------- nsp-security Confidential --------
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Hi teams,
> 
> Our darknet (and SANS ISC) too see a strong increase (8 fold now) in src ip 
> addresses accessing port 1433/tcp (MS-SQL). Overall traffic to that port 
> (flows, packets, bytes) does not seem to increase, at least not much.
> 
> Any idea what may be the cause?
> 
> Currently, I have no meaningful packet capture, as we get only SYN packets 
> in our darknet. I'm working on getting a better packet dump.
> 
> Best regards,
> 		Klaus Möller, DFN-CERT
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> ------------------------------------------------------------------------
> 
> 
> ------------------------------------------------------------------------
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list