[nsp-sec] Anyone seeing traffic from 145.0.1.0/24 to 145.0.255.255

Niels den Otter Niels.denOtter at surfnet.nl
Wed Jun 2 04:30:58 EDT 2010 

All,

SURFnet uses 145.0.1.0/24 and we route this as part of 145.0.0.0/16
in BGP.

In Netflow we see traffic arriving our network with source IP within
145.0.1.0/24 and with destination 145.0.255.255 (mostly TCP port 137
and 138). This is most likely a misconfigured network/NAT somewhere
and seems innocent. However it has been going on for long time
already (nice day/night graphs) and recently we also receive abuse
reports for sources within this network and we are rather sure it
isn't caused by our systems.

We tried to trace this traffic through the upstream provider we
receive this traffic from (TINET), but they are not able to trace
where this traffic arrives in their network, so we can't trace AS by
AS...

Therefor my question here if you see this traffic in Netflow, so
that we can hopefully trace further closer to the source.

Small snapshot;
---------
** nfdump -M /var/local/nfsen/profiles-data/SURFcert_incidenten/Misbruik_145_0_0_0/Zaza:Chico  -T  -r 2010/06/01/nfcapd.201006012000 -o 'fmt:%ts %td %pr %sap -> %dap %pkt %byt %fl %in' -c 20
nfdump filter:
dst host 145.0.255.255
Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows  Input
2010-06-01 20:00:33.380    10.050 UDP         145.0.1.81:137   ->    145.0.255.255:137          2      156     1    170
2010-06-01 20:01:04.330    21.490 UDP         145.0.1.81:137   ->    145.0.255.255:137          2      156     1    170
2010-06-01 20:01:23.330     0.000 UDP         145.0.1.74:137   ->    145.0.255.255:137          1       78     1    170
2010-06-01 20:01:36.180     0.000 UDP         145.0.1.81:137   ->    145.0.255.255:137          1       78     1    170
2010-06-01 20:02:11.500     0.000 UDP         145.0.1.74:137   ->    145.0.255.255:137          1       78     1    170
2010-06-01 20:02:23.350     0.000 UDP         145.0.1.81:137   ->    145.0.255.255:137          1       78     1    170
2010-06-01 20:02:57.770     9.150 UDP         145.0.1.81:137   ->    145.0.255.255:137          2      156     1    170
2010-06-01 20:03:15.030     0.000 UDP         145.0.1.74:137   ->    145.0.255.255:137          1       78     1    170
2010-06-01 20:03:47.490     0.000 UDP        145.0.1.228:137   ->    145.0.255.255:137          1       78     1    170
2010-06-01 20:04:22.790     0.000 UDP         145.0.1.74:137   ->    145.0.255.255:137          1       78     1    170
---------


Groeten,

Niels


-- Niels
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20100602/5cfe489b/attachment-0001.sig>

More information about the nsp-security mailing list