[nsp-sec] UDP love against AS5539
Gert Doering
gert at greenie.muc.de
Fri Dec 23 03:43:19 EST 2011
Hi,
one of our customers (large electronics store) seems to have annoyed
someone, and is now receiving packet love.
Most of the love is extremely dumb and easy to filter - UDP packets (of
varying size) destined to port 27660.
Total incoming bandwidth is something like 900 mbit/s, and we can stand
this, so no imminent reactions needed - *but* this is starting to annoy
me. It started at 17:00 GMT+1 yesterday, and is still ongoing, 16 hours
later, so maybe a few machines show up on your radar for cleansing...
I'll compile a list of sources that we see and send it to the list
"real soon now". But we don't know whether this is spoofed - it's UDP,
after all.
So, what I'd like you to do is to check your telemetry for flows
to
dst ip = 194.97.147.57
proto = udp
dst port = 27660
... if you see any of this, it's not legit. This is a web server, it has
nothing but tcp/80 and tcp/443.
thanks,
gert
--
Gert Doering
SpaceNet AG, AS 5539, gert at space.net. PGP-KeyID: 0x65514975
Also reachable via gert at greenie.muc.de and gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20111223/6b6b56af/attachment-0001.sig>
More information about the nsp-security
mailing list