[nsp-sec] TCP Flood to 2.1.4.245

Rob Shakir rjs at eng.gxn.net
Thu Nov 19 14:06:27 EST 2009 

On 19 Nov 2009, at 17:34, Rob Thomas wrote:

> Hi, Rob.
>
>> This afternoon we saw some odd traffic towards one of the RIPE NCC's
>> de-bogonising prefixes (2.1.0.0/21), and in particular 2.1.4.245/32
>> within this. The traffic looked to be from spoofed sequential  
>> sources,
>> and was 650 byte TCP packets with randomised source and destination
>> ports (approximately uniform distribution of src/dst port pairs).
>
> We have a few samples in our malware menagerie that point to TCP 445  
> on
> some hosts in 2.1.0.0/21.  Probably scanners.

Jose, Rob,

Thanks very much for the data. Just to add some flesh to my original  
mail -- the flows that we saw look something like the following  
(random subset):

srcIP            dstIP            prot  srcPort  dstPort  octets       
packets
222.54.131.118   2.1.4.245        6     30476    30944    650         1
218.75.100.195   2.1.4.245        6     7352     6794     650         1
219.139.106.80   2.1.4.245        6     16736    28149    650         1
61.177.236.3     2.1.4.245        6     28639    11524    650         1
124.133.22.15    2.1.4.245        6     4388     21546    650         1
211.90.11.129    2.1.4.245        6     29958    29336    650         1
58.46.16.134     2.1.4.245        6     22380    16031    650         1
218.75.100.194   2.1.4.245        6     27402    6560     650         1
211.90.11.108    2.1.4.245        6     12935    10889    650         1
218.5.205.97     2.1.4.245        6     23457    12243    650         1
61.146.92.56     2.1.4.245        6     4035     20163    650         1
218.75.100.194   2.1.4.245        6     25431    5394     650         1
219.226.83.249   2.1.4.245        6     29169    26910    650         1
58.46.21.92      2.1.4.245        6     8202     6627     650         1
61.146.92.62     2.1.4.245        6     31260    9634     650         1
218.75.100.195   2.1.4.245        6     12227    28065    650         1
58.44.118.81     2.1.4.245        6     10136    18934    650         1
60.191.240.132   2.1.4.245        6     28152    8274     650         1
124.133.22.19    2.1.4.245        6     10426    4481     650         1

I've dropped someone at RIPE a mail, and will update if I find  
anything - given the volume of traffic we saw to this prefix, and the  
number of people that appear to have transited it, I was expecting  
this to have been seen amongst a wider group of networks.

Kind regards,
Rob

-- 
Rob Shakir                      <rjs at eng.gxn.net>
Network Development Engineer    GX Networks/Vialtus Solutions
ddi: +44208 587 6077            mob: +44797 155 4098
pgp: 0xc07e6deb                 nic-hdl: RJS-RIPE

This email is subject to: http://www.vialtus.com/disclaimer.html

More information about the nsp-security mailing list