[nsp-sec] SNMP probes or backacatter? Re: comcast?

Marc Kneppers Marc.Kneppers at TELUS.COM
Thu Dec 22 18:22:55 EST 2011 

Holy crow!

TELUS has significant presence at the top of the list.

Sorry about that guys. I will get this resolved.

Note that that address space is part of our OSS space and so it looks like our pollers have been misconfigured. This would APPEAR to be innocuous and a routing or config screw-up.

However, if someone wants to throw us some $ maybe we can turn this into a managed service. ;)

(Rob and team cymru .. If you see evidence that makes this seem malicious please let me know. )

MArc
TELUS
AS852


-
MArc (via mobile device)

----- Original Message -----
From: nsp-security-bounces at puck.nether.net <nsp-security-bounces at puck.nether.net>
To: Eric Ziegast <ziegast at isc.org>
Cc: nsp-security at puck.nether.net <nsp-security at puck.nether.net>
Sent: Thu Dec 22 13:41:23 2011
Subject: Re: [nsp-sec] SNMP probes or backacatter?  Re:  comcast?

----------- nsp-security Confidential --------

Hi, Eric.

Thank you for the insight!

> While the attack is out there now, it makes me want to look in darknet
> data from SNMP.  Stuff I see:

We've seen a significant increase in 2011, after a decrease in 2010.

Total UDP 161 scans
2009: 2858293
2010: 1323668
2011: 4144094

Here is the breakdown for 2011:

Total UDP 161 scans
2011-01: 304801
2011-02: 283916
2011-03: 300427
2011-04: 310658
2011-05: 348534
2011-06: 312121
2011-07: 367293
2011-08: 364214
2011-09: 407130
2011-10: 438825
2011-11: 404250
2011-12: 291024

Some IP addresses of interest:

Top Ten UDP 161 Scanners 2011
ASN       IP Address      UDP 161 Scans   AS Name
852    | 207.229.63.126 | 223299        | ASN852 - Telus Advanced
Communications
852    | 207.229.63.238 | 809884        | ASN852 - Telus Advanced
Communications
852    | 207.229.63.39  | 203710        | ASN852 - Telus Advanced
Communications
852    | 209.202.66.4   | 200570        | ASN852 - Telus Advanced
Communications
3265   | 82.161.40.110  |  66317        | XS4ALL-NL XS4ALL Internet BV
7132   | 69.153.243.86  | 244295        | SBIS-AS - AT&T Internet Services
15802  | 94.202.186.152 | 123889        | DU-AS1 Emirates Integrated
Telecommunications Company PJSC (EITC-DU)
19262  | 74.96.120.3    | 180030        | VZGNI-TRANSIT - Verizon Online LLC
33651  | 74.93.9.125    | 408789        | CMCS - Comcast Cable
Communications, Inc.
33657  | 173.167.207.81 |  82142        | CMCS - Comcast Cable
Communications, Inc.

Top Ten UDP 161 Scanners 2011-12
ASN       IP Address       UDP 161 Scans   AS Name
852     | 207.229.63.126 |  223299       | ASN852 - Telus Advanced
Communications
852     | 207.229.63.238 |  809884       | ASN852 - Telus Advanced
Communications
852     | 207.229.63.39  |  203710       | ASN852 - Telus Advanced
Communications
852     | 209.202.66.4   |  200570       | ASN852 - Telus Advanced
Communications
3265    | 82.161.40.110  |   66317       | XS4ALL-NL XS4ALL Internet BV
7132    | 69.153.243.86  |  244295       | SBIS-AS - AT&T Internet Services
15802   | 94.202.186.152 |  123889       | DU-AS1 Emirates Integrated
Telecommunications Company PJSC (EITC-DU)
19262   | 74.96.120.3    |  180030       | VZGNI-TRANSIT - Verizon
Online LLC
33651   | 74.93.9.125    |  408789       | CMCS - Comcast Cable
Communications, Inc.
33657   | 173.167.207.81 |   82142       | CMCS - Comcast Cable
Communications, Inc.

> So its this probe traffic or backscatter from affected victims?  It
> seems to me to look like probes.

Seems like probes to me as well.

> We all might keep track of this type of traffic if they're probes and
> investigate sources to see if there's some attribution to a particular
> bot.

Thus far we've not tracked the recent amplifiers back to a botnet.  Some
of them were compromised with the usual buffet of malware, but nothing
in common.  We're looking at commonality between UDP 161 scanners that
visited them prior to the attacks.  That might yield some interesting
candidates.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
https://www.team-cymru.org/
"Say little and do much." M Avot 1:15



_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list