[nsp-sec] SNMP probes or backacatter? Re: comcast?

Rob Thomas robt at cymru.com
Thu Dec 22 19:49:27 EST 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey, Marc.

Details to follow, further analysis underway!

Thanks!
Rob.


Marc Kneppers wrote:
> Holy crow!
> 
> TELUS has significant presence at the top of the list.
> 
> Sorry about that guys. I will get this resolved.
> 
> Note that that address space is part of our OSS space and so it looks like our pollers have been misconfigured. This would APPEAR to be innocuous and a routing or config screw-up.
> 
> However, if someone wants to throw us some $ maybe we can turn this into a managed service. ;)
> 
> (Rob and team cymru .. If you see evidence that makes this seem malicious please let me know. )
> 
> MArc
> TELUS
> AS852
> 
> 
> -
> MArc (via mobile device)
> 
> ----- Original Message -----
> From: nsp-security-bounces at puck.nether.net <nsp-security-bounces at puck.nether.net>
> To: Eric Ziegast <ziegast at isc.org>
> Cc: nsp-security at puck.nether.net <nsp-security at puck.nether.net>
> Sent: Thu Dec 22 13:41:23 2011
> Subject: Re: [nsp-sec] SNMP probes or backacatter?  Re:  comcast?
> 
> ----------- nsp-security Confidential --------
> 
> Hi, Eric.
> 
> Thank you for the insight!
> 
>> While the attack is out there now, it makes me want to look in darknet
>> data from SNMP.  Stuff I see:
> 
> We've seen a significant increase in 2011, after a decrease in 2010.
> 
> Total UDP 161 scans
> 2009: 2858293
> 2010: 1323668
> 2011: 4144094
> 
> Here is the breakdown for 2011:
> 
> Total UDP 161 scans
> 2011-01: 304801
> 2011-02: 283916
> 2011-03: 300427
> 2011-04: 310658
> 2011-05: 348534
> 2011-06: 312121
> 2011-07: 367293
> 2011-08: 364214
> 2011-09: 407130
> 2011-10: 438825
> 2011-11: 404250
> 2011-12: 291024
> 
> Some IP addresses of interest:
> 
> Top Ten UDP 161 Scanners 2011
> ASN       IP Address      UDP 161 Scans   AS Name
> 852    | 207.229.63.126 | 223299        | ASN852 - Telus Advanced
> Communications
> 852    | 207.229.63.238 | 809884        | ASN852 - Telus Advanced
> Communications
> 852    | 207.229.63.39  | 203710        | ASN852 - Telus Advanced
> Communications
> 852    | 209.202.66.4   | 200570        | ASN852 - Telus Advanced
> Communications
> 3265   | 82.161.40.110  |  66317        | XS4ALL-NL XS4ALL Internet BV
> 7132   | 69.153.243.86  | 244295        | SBIS-AS - AT&T Internet Services
> 15802  | 94.202.186.152 | 123889        | DU-AS1 Emirates Integrated
> Telecommunications Company PJSC (EITC-DU)
> 19262  | 74.96.120.3    | 180030        | VZGNI-TRANSIT - Verizon Online LLC
> 33651  | 74.93.9.125    | 408789        | CMCS - Comcast Cable
> Communications, Inc.
> 33657  | 173.167.207.81 |  82142        | CMCS - Comcast Cable
> Communications, Inc.
> 
> Top Ten UDP 161 Scanners 2011-12
> ASN       IP Address       UDP 161 Scans   AS Name
> 852     | 207.229.63.126 |  223299       | ASN852 - Telus Advanced
> Communications
> 852     | 207.229.63.238 |  809884       | ASN852 - Telus Advanced
> Communications
> 852     | 207.229.63.39  |  203710       | ASN852 - Telus Advanced
> Communications
> 852     | 209.202.66.4   |  200570       | ASN852 - Telus Advanced
> Communications
> 3265    | 82.161.40.110  |   66317       | XS4ALL-NL XS4ALL Internet BV
> 7132    | 69.153.243.86  |  244295       | SBIS-AS - AT&T Internet Services
> 15802   | 94.202.186.152 |  123889       | DU-AS1 Emirates Integrated
> Telecommunications Company PJSC (EITC-DU)
> 19262   | 74.96.120.3    |  180030       | VZGNI-TRANSIT - Verizon
> Online LLC
> 33651   | 74.93.9.125    |  408789       | CMCS - Comcast Cable
> Communications, Inc.
> 33657   | 173.167.207.81 |   82142       | CMCS - Comcast Cable
> Communications, Inc.
> 
>> So its this probe traffic or backscatter from affected victims?  It
>> seems to me to look like probes.
> 
> Seems like probes to me as well.
> 
>> We all might keep track of this type of traffic if they're probes and
>> investigate sources to see if there's some attribution to a particular
>> bot.
> 
> Thus far we've not tracked the recent amplifiers back to a botnet.  Some
> of them were compromised with the usual buffet of malware, but nothing
> in common.  We're looking at commonality between UDP 161 scanners that
> visited them prior to the attacks.  That might yield some interesting
> candidates.
> 
> Thanks,
> Rob.

- --
Rob Thomas
Team Cymru
https://www.team-cymru.org/
"Say little and do much." M Avot 1:15

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iQCVAwUBTvPQF1kX3QAo5sgJAQKsmQP9EWZwdj3TP4Ko9H8D3qUiXnk3AhBhmehP
dAMPAaZEyxPAtmTLekXfu1NHw4AuKmqxivwWs2HsMphuhJOkwhlU2n1P0ZByv7VA
KWZ9ezury8LKnXiEEs5FIawk0hl8p8bxKBTEbZ++IwzATSdV8bFR6BDAFnK+czQa
XaFU13xypUs=
=lb0h
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list