[nsp-sec] TCP Flood to 2.1.4.245

Thu Nov 19 12:34:32 EST 2009

Hi, Rob.

> This afternoon we saw some odd traffic towards one of the RIPE NCC's
> de-bogonising prefixes (2.1.0.0/21), and in particular 2.1.4.245/32
> within this. The traffic looked to be from spoofed sequential sources,
> and was 650 byte TCP packets with randomised source and destination
> ports (approximately uniform distribution of src/dst port pairs).

We have a few samples in our malware menagerie that point to TCP 445 on
some hosts in 2.1.0.0/21.  Probably scanners.

      timestamp      |                   sha1                   |
        md5                |  dst_ip   | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- ----------- ---------- ---------- ------
 2009-02-06 14:14:44 | ba9476e7bbdb9ab1a701d48620a343a90dfd5eeb |
1f47ce69d74e2817752babc2620407e5 | 2.1.2.16  |      445 |        6 |
 2009-02-11 21:33:45 | b3276ae201f0c048fb91c0f82301d82b98bda082 |
e899f7d2cc75943b9728bb2ef4b98319 | 2.1.1.144 |      445 |        6 |
 2009-03-16 04:57:49 | 9a16d572524089f8011a98f669c370aa7c7fe6d4 |
a51361d5922f052b7f5252453da331c2 | 2.1.4.247 |      445 |        6 |
 2009-04-11 08:21:40 | f41de72806f56a25f810f0038b54579e5ca0904d |
02e28b76588824b658100cc51e1e8371 | 2.1.1.144 |      445 |        6 |
 2009-08-10 06:12:18 | cfd04fa3a25af69a9dbca159cf6636ba3bf7c1ad |
cf1630b2603bc2dfac2c1e24a1c3a1db | 2.1.2.16  |      445 |        6 |
 2009-10-01 07:24:50 | b1dc8af71de2510eef8108e33d57ea54f455600d |
fdec61ab6d4db30cc3ca3509116aac85 | 2.1.7.114 |      445 |        6 |
 2009-11-06 07:35:31 | 85c9e5e80628e2d3c0ad656bc9523067ad49fa09 |
912a07394596a4a1ce7eedf87f4d5b4a | 2.1.3.247 |      445 |        6 |

We don't have any specific attack data, though.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
https://www.team-cymru.org/
ASSERT(coffee != empty);