[nsp-sec] SNMP probes or backacatter? Re: comcast?

Chris Calvert Chris.Calvert at telus.com
Tue Dec 27 15:45:11 EST 2011 

Whew.

Thanks, Rob ;)

-----Original Message-----
From: Rob Thomas [robt at cymru.com<mailto:robt at cymru.com>]
Sent: Friday, December 23, 2011 07:38 AM Mountain Standard Time
To: Marc Kneppers; Chris Calvert; 'nsp-security at puck.nether.net'
Subject: Re: [nsp-sec] SNMP probes or backacatter? Re: comcast?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, team.

Please ignore my list of top UDP 161 scanners.  These hosts are scanning
for UDP 161, but my query didn't differentiate between legitimate
traffic and likely illegitimate traffic.  Shame on me there!  My query
skillz must be in holiday mode already.

Marc and Chris, no holy cows here, sorry about the shock.  I'll re-run
the query and send out a more likely naughty list of scanners.

Thanks,
Rob.


Marc Kneppers wrote:
> Holy crow!
>
> TELUS has significant presence at the top of the list.
>
> Sorry about that guys. I will get this resolved.
>
> Note that that address space is part of our OSS space and so it looks like our pollers have been misconfigured. This would APPEAR to be innocuous and a routing or config screw-up.
>
> However, if someone wants to throw us some $ maybe we can turn this into a managed service. ;)
>
> (Rob and team cymru .. If you see evidence that makes this seem malicious please let me know. )
>
> MArc
> TELUS
> AS852
>
>
> -
> MArc (via mobile device)
>
> ----- Original Message -----
> From: nsp-security-bounces at puck.nether.net <nsp-security-bounces at puck.nether.net>
> To: Eric Ziegast <ziegast at isc.org>
> Cc: nsp-security at puck.nether.net <nsp-security at puck.nether.net>
> Sent: Thu Dec 22 13:41:23 2011
> Subject: Re: [nsp-sec] SNMP probes or backacatter?  Re:  comcast?
>
> ----------- nsp-security Confidential --------
>
> Hi, Eric.
>
> Thank you for the insight!
>
>> While the attack is out there now, it makes me want to look in darknet
>> data from SNMP.  Stuff I see:
>
> We've seen a significant increase in 2011, after a decrease in 2010.
>
> Total UDP 161 scans
> 2009: 2858293
> 2010: 1323668
> 2011: 4144094
>
> Here is the breakdown for 2011:
>
> Total UDP 161 scans
> 2011-01: 304801
> 2011-02: 283916
> 2011-03: 300427
> 2011-04: 310658
> 2011-05: 348534
> 2011-06: 312121
> 2011-07: 367293
> 2011-08: 364214
> 2011-09: 407130
> 2011-10: 438825
> 2011-11: 404250
> 2011-12: 291024
>
> Some IP addresses of interest:
>
> Top Ten UDP 161 Scanners 2011
> ASN       IP Address      UDP 161 Scans   AS Name
> 852    | 207.229.63.126 | 223299        | ASN852 - Telus Advanced
> Communications
> 852    | 207.229.63.238 | 809884        | ASN852 - Telus Advanced
> Communications
> 852    | 207.229.63.39  | 203710        | ASN852 - Telus Advanced
> Communications
> 852    | 209.202.66.4   | 200570        | ASN852 - Telus Advanced
> Communications
> 3265   | 82.161.40.110  |  66317        | XS4ALL-NL XS4ALL Internet BV
> 7132   | 69.153.243.86  | 244295        | SBIS-AS - AT&T Internet Services
> 15802  | 94.202.186.152 | 123889        | DU-AS1 Emirates Integrated
> Telecommunications Company PJSC (EITC-DU)
> 19262  | 74.96.120.3    | 180030        | VZGNI-TRANSIT - Verizon Online LLC
> 33651  | 74.93.9.125    | 408789        | CMCS - Comcast Cable
> Communications, Inc.
> 33657  | 173.167.207.81 |  82142        | CMCS - Comcast Cable
> Communications, Inc.
>
> Top Ten UDP 161 Scanners 2011-12
> ASN       IP Address       UDP 161 Scans   AS Name
> 852     | 207.229.63.126 |  223299       | ASN852 - Telus Advanced
> Communications
> 852     | 207.229.63.238 |  809884       | ASN852 - Telus Advanced
> Communications
> 852     | 207.229.63.39  |  203710       | ASN852 - Telus Advanced
> Communications
> 852     | 209.202.66.4   |  200570       | ASN852 - Telus Advanced
> Communications
> 3265    | 82.161.40.110  |   66317       | XS4ALL-NL XS4ALL Internet BV
> 7132    | 69.153.243.86  |  244295       | SBIS-AS - AT&T Internet Services
> 15802   | 94.202.186.152 |  123889       | DU-AS1 Emirates Integrated
> Telecommunications Company PJSC (EITC-DU)
> 19262   | 74.96.120.3    |  180030       | VZGNI-TRANSIT - Verizon
> Online LLC
> 33651   | 74.93.9.125    |  408789       | CMCS - Comcast Cable
> Communications, Inc.
> 33657   | 173.167.207.81 |   82142       | CMCS - Comcast Cable
> Communications, Inc.
>
>> So its this probe traffic or backscatter from affected victims?  It
>> seems to me to look like probes.
>
> Seems like probes to me as well.
>
>> We all might keep track of this type of traffic if they're probes and
>> investigate sources to see if there's some attribution to a particular
>> bot.
>
> Thus far we've not tracked the recent amplifiers back to a botnet.  Some
> of them were compromised with the usual buffet of malware, but nothing
> in common.  We're looking at commonality between UDP 161 scanners that
> visited them prior to the attacks.  That might yield some interesting
> candidates.
>
> Thanks,
> Rob.

- --
Rob Thomas
Team Cymru
https://www.team-cymru.org/
"Say little and do much." M Avot 1:15

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iQCVAwUBTvSSbFkX3QAo5sgJAQKWkAP+MlEOnIZDCd/hHYZrTAC9qa6c64v0PfU+
uiSZf1Pm4KNaI4ISjCruGg5x8nbcIhy6H65JypeupszEGisnGMoxEI30aUmJYTzC
Szwdpwf/hOj6kdTmU1YzNe6gVsHDmPgOnuEHUj1IZommWSLsCpN/i4gCgJT2J9RS
WMprkjb4A0Y=
=YpU+
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list