[nsp-sec] tcp/23 increase
Scott A. McIntyre
scott at xs4all.net
Thu Jan 14 02:05:26 EST 2010
On Jan 13, 2010, at 22:01 , Greenberg, David A wrote:
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I have no idea why, but we (and US higher-ed in general) are seeing an increase in tcp/23 traffic that started Tuesday morning. The volume isn't huge, but 3000 sources in the past 24 hours make me think that this is some sort of coordinated, distributed scan.
I'm not sure if I've seen this here yet or not - here are my numbers for January:
Date Sessions
01-01 5293
02-01 5445
03-01 11778
04-01 14972
05-01 12059
06-01 2286
07-01 2045
08-01 2687
09-01 11488
10-01 10465
11-01 3806
12-01 10526
13-01 11447
Date Unique IPs
01-01 1031
02-01 1032
03-01 1131
04-01 1258
05-01 1115
06-01 618
07-01 966
08-01 1009
09-01 1129
10-01 1098
11-01 1026
12-01 1175
13-01 1251
The first bit of data is just a raw count of dst port 23 activity into my darknets. The same IP may appear more than once. The second bit uniq'ifys the IPs.
So, a couple of peaks, but nothing that I'd call too statistically anomalous, yet.
Regards,
Scott A. McIntyre
XS4ALL Internet B.V.
More information about the nsp-security
mailing list