[nsp-sec] SNMP probes or backacatter? Re: comcast?

Chris Calvert Chris.Calvert at telus.com
Thu Dec 22 18:25:26 EST 2011 

Ugh. Thanks for picking that up, Marc.


> -----Original Message-----
> From: Marc Kneppers
> Sent: Thursday, December 22, 2011 4:23 PM
> To: 'robt at cymru.com'; 'ziegast at isc.org'; Chris Calvert
> Cc: 'nsp-security at puck.nether.net'
> Subject: Re: [nsp-sec] SNMP probes or backacatter? Re: comcast?
> 
> Holy crow!
> 
> TELUS has significant presence at the top of the list.
> 
> Sorry about that guys. I will get this resolved.
> 
> Note that that address space is part of our OSS space and so it looks like our pollers
> have been misconfigured. This would APPEAR to be innocuous and a routing or
> config screw-up.
> 
> However, if someone wants to throw us some $ maybe we can turn this into a
> managed service. ;)
> 
> (Rob and team cymru .. If you see evidence that makes this seem malicious please
> let me know. )
> 
> MArc
> TELUS
> AS852
> 
> 
> -
> MArc (via mobile device)
> 
> ----- Original Message -----
> From: nsp-security-bounces at puck.nether.net <nsp-security-
> bounces at puck.nether.net>
> To: Eric Ziegast <ziegast at isc.org>
> Cc: nsp-security at puck.nether.net <nsp-security at puck.nether.net>
> Sent: Thu Dec 22 13:41:23 2011
> Subject: Re: [nsp-sec] SNMP probes or backacatter?  Re:  comcast?
> 
> ----------- nsp-security Confidential --------
> 
> Hi, Eric.
> 
> Thank you for the insight!
> 
> > While the attack is out there now, it makes me want to look in darknet
> > data from SNMP.  Stuff I see:
> 
> We've seen a significant increase in 2011, after a decrease in 2010.
> 
> Total UDP 161 scans
> 2009: 2858293
> 2010: 1323668
> 2011: 4144094
> 
> Here is the breakdown for 2011:
> 
> Total UDP 161 scans
> 2011-01: 304801
> 2011-02: 283916
> 2011-03: 300427
> 2011-04: 310658
> 2011-05: 348534
> 2011-06: 312121
> 2011-07: 367293
> 2011-08: 364214
> 2011-09: 407130
> 2011-10: 438825
> 2011-11: 404250
> 2011-12: 291024
> 
> Some IP addresses of interest:
> 
> Top Ten UDP 161 Scanners 2011
> ASN       IP Address      UDP 161 Scans   AS Name
> 852    | 207.229.63.126 | 223299        | ASN852 - Telus Advanced
> Communications
> 852    | 207.229.63.238 | 809884        | ASN852 - Telus Advanced
> Communications
> 852    | 207.229.63.39  | 203710        | ASN852 - Telus Advanced
> Communications
> 852    | 209.202.66.4   | 200570        | ASN852 - Telus Advanced
> Communications
> 3265   | 82.161.40.110  |  66317        | XS4ALL-NL XS4ALL Internet BV
> 7132   | 69.153.243.86  | 244295        | SBIS-AS - AT&T Internet Services
> 15802  | 94.202.186.152 | 123889        | DU-AS1 Emirates Integrated
> Telecommunications Company PJSC (EITC-DU)
> 19262  | 74.96.120.3    | 180030        | VZGNI-TRANSIT - Verizon Online LLC
> 33651  | 74.93.9.125    | 408789        | CMCS - Comcast Cable
> Communications, Inc.
> 33657  | 173.167.207.81 |  82142        | CMCS - Comcast Cable
> Communications, Inc.
> 
> Top Ten UDP 161 Scanners 2011-12
> ASN       IP Address       UDP 161 Scans   AS Name
> 852     | 207.229.63.126 |  223299       | ASN852 - Telus Advanced
> Communications
> 852     | 207.229.63.238 |  809884       | ASN852 - Telus Advanced
> Communications
> 852     | 207.229.63.39  |  203710       | ASN852 - Telus Advanced
> Communications
> 852     | 209.202.66.4   |  200570       | ASN852 - Telus Advanced
> Communications
> 3265    | 82.161.40.110  |   66317       | XS4ALL-NL XS4ALL Internet BV
> 7132    | 69.153.243.86  |  244295       | SBIS-AS - AT&T Internet Services
> 15802   | 94.202.186.152 |  123889       | DU-AS1 Emirates Integrated
> Telecommunications Company PJSC (EITC-DU)
> 19262   | 74.96.120.3    |  180030       | VZGNI-TRANSIT - Verizon
> Online LLC
> 33651   | 74.93.9.125    |  408789       | CMCS - Comcast Cable
> Communications, Inc.
> 33657   | 173.167.207.81 |   82142       | CMCS - Comcast Cable
> Communications, Inc.
> 
> > So its this probe traffic or backscatter from affected victims?  It
> > seems to me to look like probes.
> 
> Seems like probes to me as well.
> 
> > We all might keep track of this type of traffic if they're probes and
> > investigate sources to see if there's some attribution to a particular
> > bot.
> 
> Thus far we've not tracked the recent amplifiers back to a botnet.  Some of them
> were compromised with the usual buffet of malware, but nothing in common.  We're
> looking at commonality between UDP 161 scanners that visited them prior to the
> attacks.  That might yield some interesting candidates.
> 
> Thanks,
> Rob.
> --
> Rob Thomas
> Team Cymru
> https://www.team-cymru.org/
> "Say little and do much." M Avot 1:15
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-
> measures.
> _______________________________________________

More information about the nsp-security mailing list