[nsp-sec] tcp/23 increase
Matthew.Swaar at us-cert.gov
Matthew.Swaar at us-cert.gov
Wed Jan 13 16:38:13 EST 2010
Heyo, David
I'm seeing this too. I haven't isolated the exact start time/date, but
TCP-23 (SYN scanning) rose to #10 on the top20 inbound ports that I see
on the .gov edge. My report for 1/11 didn't include TCP-23 in either
the top-20 ports by flow volume, or as a "notable increase" which
measures %increase rather than pure volume.
I see over 9k source IPS on the 12th, but I haven't resolved or isolated
them.
(Hopefully this formats)
TOP TWENTY DESTINATION PORTS BY VOLUME 2010/01/12 00:00 - 2010/01/12
23:59
RANK PORT|PROTO NETFLOWS PREV 24H 30DAY AVG 24H CHANGE
<...snip...>
10 23|tcp 8682039 223424 1552526 3786%
AMPLIFYING INFORMATION - TOP TWENTY PORTS BY VOLUME
RANK PORT|PROTO NETFLOWS UNIQUE IP %SCAN %BS %NS
<...snip...>
10 23|tcp 8682039 9883 99.96 0.03 0.00
NOTABLE INCREASES (TCP BACKSCATTER REMOVED) OVER 30 DAY AVERAGE
RANK PORT|PROTO VOLUME 24h INCREASE INCR OVER 30 DAY
<...snip...>
7 23|tcp 8679028 3810% 461%
Very Respectfully,
US-CERT Ops Center
703-235-5111
POC: Matt Swaar - Analyst
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Greenberg,
David A
Sent: Wednesday, January 13, 2010 4:02 PM
To: NSP-SEC List
Subject: [nsp-sec] tcp/23 increase
----------- nsp-security Confidential --------
More information about the nsp-security
mailing list