[nsp-sec] ACK 553 - Re: UDP love against AS5539
Torsten Voss
voss at dfn-cert.de
Fri Dec 23 05:23:52 EST 2011
Hi Gert,
thanks and ACK 553.
Cheers,
Torsten
Am 23.12.2011 10:07, schrieb Gert Doering:
> ----------- nsp-security Confidential --------
>
>
>
>
> Hi,
>
> On Fri, Dec 23, 2011 at 09:43:19AM +0100, Gert Doering wrote:
>> So, what I'd like you to do is to check your telemetry for flows
>> to
>> dst ip = 194.97.147.57
>> proto = udp
>> dst port = 27660
>>
>> ... if you see any of this, it's not legit. This is a web server, it has
>> nothing but tcp/80 and tcp/443.
>
> And here's the list of sources that have sent more than 1000 packets in
> the time between 09:10-09:30 this morning (GMT+1, so "about 45 minutes ago").
>
> Thanks to team cymru for the nice bulk-whois... :-)
>
> Looking at the list, there are large hosting networks present, like
> hetzner.de - so this isn't just abused DSL customers, but could very
> well be hacked web servers and such. Or it's plain spoofed addresses.
>
> So it would be great to hear if one of you can confirm whether these
> addresses are useful (= you can see the packets as well) or spoofed.
>
> gert
>
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
--
Dipl.-Ing.(FH) Torsten Voss (Incident Response Team), Phone +49 40 808077-634
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
19. DFN Workshop "Sicherheit in vernetzten Systemen"
am 21./22. Februar 2012 im Grand Hotel Elysee in Hamburg
More information about the nsp-security
mailing list