[nsp-sec] Odd "attack" traffic

Joel Rosenblatt joel at columbia.edu
Tue Dec 28 19:32:48 EST 2010 

Hi,

My memory is not as good as it used to be, but this port sounds very familiar - I am also seeing a lot of this traffic, and I believe that this is a P2P video 
program that is used by our Asian students to watch TV from their home countries.

I tracked this down last time by speaking to the owners of the machines and they were all running the same program.

I don't have access to my archives at home, so I can't verify this until I get into the office tomorrow, but a quick check of the users of the IPs using this 
port seem to support my memory.

My 2 cents.

Joel

--On Wednesday, December 29, 2010 12:09 AM +0000 David Freedman <david.freedman at uk.clara.net> wrote:

> ----------- nsp-security Confidential --------
>
> Nothing for me either, I'm not seeing any of this traffic , would love to
> see one of the captured packets from sources/destinations you have seen an
> increase to...
>
>
> On 29/12/2010 00:07, "jose nazario" <jose at arbor.net> wrote:
>
>> ----------- nsp-security Confidential --------
>>
>> On Dec 28, 2010, at 6:52 PM, Kevin Oberman wrote:
>>
>>> For some time I have been seeing I have been continual packets
>>> destined
>>> for an unused port, 17368/udp. I've looked around for some idea of
>>> what
>>> the reason might be for this, ut all I can find is a passing reference
>>> to apache v2.
>>
>> no idea, either. here is the ATLAS Service Report for UDP/17368 over
>> the past 24 hours. note we have no vulns or apps mapped to it, and
>> have no classified exploit traffic there, either.  -- jose
>>
>> Service Background
>> Description, ""
>> Vendors, ""
>>
>> Vulnerabilities
>> CVE ID, Age (Days), Description
>>
>>
>> Attacks
>> Description, Attacks per subnet, Percent Change, Latest CVE, Percent
>> Total
>> Other, 0.00, 0, , 0.0
>>
>>
>>
>> Country, Country Name, Attacks per subnet, Percent Total
>> Other, N/A, 0.00, 0.0%
>>
>> ASN, ASN Name, Attacks per subnet, Percent Total
>> Other, N/A, 0.00, 0.0%
>>
>> Host, Host Name, Attacks per subnet, Percent Total
>> Other, N/A, 0.00, 0.0%
>>
>> Scans
>>
>> Country, Country Name, Bytes per subnet, Percent Total
>> CN, "China", 223.109497, 98.1%
>> TR, "Turkey", 2.955307, 1.3%
>> IL, "Israel", 1.473184, 0.6%
>> Other, N/A, 0, 0.0%
>>
>> ASN, ASN Name, Bytes per subnet, Percent Total
>> 4134, "AS4134 (CHINANET-BACKBONE)", 138.341899, 60.8%
>> 4812, "AS4812 (CHINANET-SH-AP)", 84.288268, 37.0%
>> 8386, "AS8386 (KOCNET)", 2.955307, 1.3%
>> 8551, "AS8551 (BEZEQ-INTERNATIONAL-AS)", 1.473184, 0.6%
>> 4847, "AS4847 (CNIX-AP)", 0.47933, 0.2%
>> Other, N/A, 0, 0.0%
>>
>> Host, Host Name, Bytes per subnet, Percent Total
>> 119.86.133.7, "119.86.133.7", 83.587709, 36.7%
>> 116.236.144.37, "116.236.144.37", 81.486034, 35.8%
>> 110.84.30.36, "110.84.30.36", 52.615642, 23.1%
>> 195.87.57.99, "195.87.57.99", 2.955307, 1.3%
>> 124.79.222.49, "124.79.222.49", 2.802235, 1.2%
>> 124.114.130.122, "124.114.130.122", 1.659218, 0.7%
>> 62.219.133.36, "62.219.133.36", 1.473184, 0.6%
>> 182.151.209.130, "182.151.209.130", 0.47933, 0.2%
>> 124.126.177.100, "124.126.177.100", 0.47933, 0.2%
>> Other, N/A, 0, 0.0%
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security
>> counter-measures.
>> _______________________________________________
>
> --
>
> David Freedman
> Group Network Engineering
>
> david.freedman at uk.clara.net
> Tel +44 (0) 20 7685 8000
>
> Claranet Group
> 21 Southampton Row
> London - WC1B 5HA - UK
> http://www.claranet.com
>
> Company Registration: 3152737 - Place of registration: England
>
> All the information contained within this electronic message from Claranet
> Ltd is covered by the disclaimer at http://www.claranet.co.uk/disclaimer
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3

More information about the nsp-security mailing list