[nsp-sec] A puzzle, not urgent. 198.18.0.0/15, RFC2544

Joel Rosenblatt joel at columbia.edu
Fri Jan 15 10:21:15 EST 2010 

Hi Scott,

I just ran a scan for the last 3 hours of traffic and came up with

date time srcip.srcport -> dstip.dstport protocol packets bytes

--------------------------------------------------------------------------------

2010/01/15 08:12:46 160.39.88.71.18459 -> 198.18.162.244.37591 17 1 62
2010/01/15 08:58:17 160.39.194.223.56819 -> 198.18.130.82.55967 6(SYN) 9 544
2010/01/15 08:58:33 160.39.194.223.56819 -> 198.18.130.82.55967 6(SYN) 1 48

Not exactly a flood

Taking a quick look at the other traffic on these machine, they appear to be running SKYPE

I'm not sure that this helps at all, but it's another data point :-)

Regards,
Joel


--On Friday, January 15, 2010 2:03 PM +0100 "Scott A. McIntyre" <scott at xs4all.net> wrote:

> ----------- nsp-security Confidential --------
>
> All,
>
> In looking at my daily darknet data I've noticed a considerable amount of traffic to:
>
> NetRange:   198.18.0.0 - 198.19.255.255
> CIDR:       198.18.0.0/15
> NetName:    NETBLK-NDTL
> NetHandle:  NET-198-18-0-0-1
> Parent:     NET-198-0-0-0-0
> NetType:    IANA Special Use
> Comment:    This block is reserved for special purposes.
> Comment:    Please see RFC 2544 for additional information.
>
> This is in the Cymru bogon feed, and I've long since used it for dumping into never-never land on my network.
>
> However, after a huge spike of traffic to this range yesterday, I decided to look a bit more closely.
>
> I'm seeing a lot of traffic to www.msftncsi.com -- which, ostensibly, is in line with the use as documented in RFC2544 -- of course Microsoft doesn't
> actually USE this IP range for this connectivity testing (rightly not) but I find it interesting that some customers are getting IPs out of DNS in that range
> for this host.
>
> Other interesting hosts and URLs:
>
> 198.18.1.7:443 - "CONNECT 198.18.1.7:443 HTTP/1.1"
> mail.google.com - "GET /mail/?ui=2&ik=......"
> dss1.siteadvisor.com - "GET /DSS/Query?version=2&client_ver=0.0.1.1&type=domain&name=google.nl HTTP/1.1"
> rad.msn.com - "GET /ADSAdClient31.dll?GetS...."
>
> There are also a number of hits to what should be BitTorrent trackers for various things.
>
> This led me to ponder if there's some DNS changing evilware involved, and that for whatever reason certain traffic and only certain traffic would be dumped
> tho addresses in this range.  Not all http traffic for customers affected is going there, only some things.
>
> So far a number of customers contacted all have the same DSL modem (Speedtouch), but that may not mean anything.
>
> So, if you're bored, and have data for that /15, and have some insight into what might be going on, I'd like to hear!
>
> Just a puzzle for a Friday afternoon,
>
> Scott A. McIntyre
> XS4ALL Internet B.V.
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

More information about the nsp-security mailing list