[nsp-sec] SNMP probes or backacatter? Re: comcast?

Rob Thomas robt at cymru.com
Thu Dec 22 15:41:23 EST 2011 

Hi, Eric.

Thank you for the insight!

> While the attack is out there now, it makes me want to look in darknet
> data from SNMP.  Stuff I see:

We've seen a significant increase in 2011, after a decrease in 2010.

Total UDP 161 scans
2009: 2858293
2010: 1323668
2011: 4144094

Here is the breakdown for 2011:

Total UDP 161 scans
2011-01: 304801
2011-02: 283916
2011-03: 300427
2011-04: 310658
2011-05: 348534
2011-06: 312121
2011-07: 367293
2011-08: 364214
2011-09: 407130
2011-10: 438825
2011-11: 404250
2011-12: 291024

Some IP addresses of interest:

Top Ten UDP 161 Scanners 2011
ASN       IP Address      UDP 161 Scans   AS Name
852    | 207.229.63.126 | 223299        | ASN852 - Telus Advanced
Communications
852    | 207.229.63.238 | 809884        | ASN852 - Telus Advanced
Communications
852    | 207.229.63.39  | 203710        | ASN852 - Telus Advanced
Communications
852    | 209.202.66.4   | 200570        | ASN852 - Telus Advanced
Communications
3265   | 82.161.40.110  |  66317        | XS4ALL-NL XS4ALL Internet BV
7132   | 69.153.243.86  | 244295        | SBIS-AS - AT&T Internet Services
15802  | 94.202.186.152 | 123889        | DU-AS1 Emirates Integrated
Telecommunications Company PJSC (EITC-DU)
19262  | 74.96.120.3    | 180030        | VZGNI-TRANSIT - Verizon Online LLC
33651  | 74.93.9.125    | 408789        | CMCS - Comcast Cable
Communications, Inc.
33657  | 173.167.207.81 |  82142        | CMCS - Comcast Cable
Communications, Inc.

Top Ten UDP 161 Scanners 2011-12
ASN       IP Address       UDP 161 Scans   AS Name
852     | 207.229.63.126 |  223299       | ASN852 - Telus Advanced
Communications
852     | 207.229.63.238 |  809884       | ASN852 - Telus Advanced
Communications
852     | 207.229.63.39  |  203710       | ASN852 - Telus Advanced
Communications
852     | 209.202.66.4   |  200570       | ASN852 - Telus Advanced
Communications
3265    | 82.161.40.110  |   66317       | XS4ALL-NL XS4ALL Internet BV
7132    | 69.153.243.86  |  244295       | SBIS-AS - AT&T Internet Services
15802   | 94.202.186.152 |  123889       | DU-AS1 Emirates Integrated
Telecommunications Company PJSC (EITC-DU)
19262   | 74.96.120.3    |  180030       | VZGNI-TRANSIT - Verizon
Online LLC
33651   | 74.93.9.125    |  408789       | CMCS - Comcast Cable
Communications, Inc.
33657   | 173.167.207.81 |   82142       | CMCS - Comcast Cable
Communications, Inc.

> So its this probe traffic or backscatter from affected victims?  It
> seems to me to look like probes.

Seems like probes to me as well.

> We all might keep track of this type of traffic if they're probes and
> investigate sources to see if there's some attribution to a particular
> bot.

Thus far we've not tracked the recent amplifiers back to a botnet.  Some
of them were compromised with the usual buffet of malware, but nothing
in common.  We're looking at commonality between UDP 161 scanners that
visited them prior to the attacks.  That might yield some interesting
candidates.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
https://www.team-cymru.org/
"Say little and do much." M Avot 1:15

More information about the nsp-security mailing list