[nsp-sec] udp (not tcp) port 22 traffic ?

RuthAnne Bevier ruthanne at caltech.edu
Fri Dec 30 13:09:46 EST 2011 

I don't know, but we've been seeing this here too fwiw.

On Fri, Dec 30, 2011 at 12:12:17PM -0500, Mike Tancsa wrote:
> ----------- nsp-security Confidential --------
> 
> I am seeing a sudden uptick in udp port 22 scanning from a number of hosts around the net.  Anyone know what they are after ? The only ref I could find was for old PCAnywhere installs, but its hard to imagine there would be many of those.
> 
> e.g.  Dec 1st, I saw 96 records into part of my AS for UDP port 22
> 
> On the 20th, 2,194 entries to the same subset, yesterday ~ 1600
> 
> Lengths are generally under 200 bytes. Here is one snippet. Some of it is to darkspace in my network, but not all. There does seem to be some bit torrent traffic in some of the packets, but not the ones doing the scanning from what I can tell so far.   Some hosts will scan a few /24s worth of IPs, others, just a dozen. 
> 
> 11:26:26.048909 IP 118.104.73.202.63185 > 67.43.143.210.22: UDP, length 194
>         0x0000:  4500 00de 002f 0000 6d11 b9b0 7668 49ca  E..../..m...vhI.
>         0x0010:  432b 8fd2 f6d1 0016 00ca 71b5 8f3e fc72  C+........q..>.r
>         0x0020:  43f6 00bd d0bb 17f6 11a2 0aee 41c0 b01b  C...........A...
>         0x0030:  c3a1 78d8 eef9 6fc0 3a30 efc6 ffd7 fdb8  ..x...o.:0......
>         0x0040:  ac59 24bd acb6 7d24 3c58 a084 be49 8ca0  .Y$...}$<X...I..
>         0x0050:  2650 96c6 e902 7927 6bf7 3cdf 68b3 ba86  &P....y'k.<.h...
>         0x0060:  0bf6 571f 5e77 c827 8185 e00e ed0f 0fc4  ..W.^w.'........
>         0x0070:  fa83 8e74 53d7 b03f 9255 df79 c89e 7098  ...tS..?.U.y..p.
>         0x0080:  4b8e 64b9 49ed 8c23 5eb1 7cdb 25f4 8be7  K.d.I..#^.|.%...
>         0x0090:  d766 0c04 b3c0 6297 30d9 a6c1 51f0 454d  .f....b.0...Q.EM
>         0x00a0:  0d31 ee7d cc2a b770 a975 b87e da09 0ed4  .1.}.*.p.u.~....
>         0x00b0:  283b 9ccc 1be7 b91c 7c95 a7e7 d5ee 73ae  (;......|.....s.
>         0x00c0:  7018 8709 9857 6d70 6e3b 0b94 e917 385c  p....Wmpn;....8\
>         0x00d0:  b305 e6d8 d6de 71d3 0471 717e 0ac2       ......q..qq~..
> 11:26:26.159270 IP 118.104.73.202.63185 > 67.43.143.211.22: UDP, length 194
>         0x0000:  4500 00de 0040 0000 6d11 b99e 7668 49ca  E.... at ..m...vhI.
>         0x0010:  432b 8fd3 f6d1 0016 00ca f408 a379 c019  C+...........y..
>         0x0020:  25be 75c6 abdb 09bc 7299 975c 6d07 dc78  %.u.....r..\m..x
>         0x0030:  dfb3 3928 cf2d a0a3 9f9a bfc8 983d 92d7  ..9(.-.......=..
>         0x0040:  3c52 2c89 cf9c e369 26c7 2d6e 358f e23e  <R,....i&.-n5..>
>         0x0050:  e769 4c1f 28de c4a8 990a 9657 d82d b370  .iL.(......W.-.p
>         0x0060:  cfaf ba54 2a06 5fa6 9943 5124 b050 387a  ...T*._..CQ$.P8z
>         0x0070:  c782 6611 7799 47af 4c21 9a61 5234 43d4  ..f.w.G.L!.aR4C.
>         0x0080:  55f4 c736 af92 2d86 90b4 d1cc 163f dd66  U..6..-......?.f
>         0x0090:  c814 c0b3 2c10 8696 ec76 c6c8 b3f5 7bac  ....,....v....{.
>         0x00a0:  91cc 7b32 3c89 8921 55ae d6a9 f1ad 3494  ..{2<..!U.....4.
>         0x00b0:  9d59 504e fc03 aeda 2f9f 8fe6 cacc 028d  .YPN..../.......
>         0x00c0:  91fd 5fee 8a4d 4342 04ba 003c fb5a a822  .._..MCB...<.Z."
>         0x00d0:  7c04 2905 0f86 83aa 7605 4459 9cba       |.).....v.DY..
> 11:26:26.542689 IP 118.104.73.202.63185 > 67.43.143.214.22: UDP, length 194
>         0x0000:  4500 00de 005d 0000 6d11 b97e 7668 49ca  E....]..m..~vhI.
>         0x0010:  432b 8fd6 f6d1 0016 00ca 1e87 2f0e 9694  C+........../...
>         0x0020:  df5a 2e62 3be3 5b43 dcb1 bdbd 3f21 3458  .Z.b;.[C....?!4X
>         0x0030:  bf5d ace7 9270 0dc5 c8d1 4116 1d2b 60bd  .]...p....A..+`.
>         0x0040:  87a9 fa70 dce7 604b 0ecd 5b68 c6ab 51f0  ...p..`K..[h..Q.
>         0x0050:  d194 8c13 bdaa b9ba eb18 8188 02bb 144a  ...............J
>         0x0060:  55a5 23db 9938 933b ff2e fa34 3df9 c3b8  U.#..8.;...4=...
>         0x0070:  d49c db19 1e4f 212d 3d81 c1d1 c0e8 7b67  .....O!-=.....{g
>         0x0080:  bfc3 6672 09ca eb0f c066 5b98 94db 6191  ..fr.....f[...a.
>         0x0090:  d61e a519 f892 cade 2300 ceb9 3715 c132  ........#...7..2
>         0x00a0:  ae3e da4e 3410 41cc 5ebb 51a6 5061 462a  .>.N4.A.^.Q.PaF*
>         0x00b0:  a2ce 0d0c 119e a042 9e25 9832 9ce2 c07e  .......B.%.2...~
>         0x00c0:  bf0f 10d1 53d7 463a 9365 475a f23e dbc0  ....S.F:.eGZ.>..
>         0x00d0:  3131 bc65 dfaf 3ac8 e3ba 9ffc b2da       11.e..:.......
> 
> 
> A few of the big scanners from Dec 29th are 
> 
> AS      | IP               | AS Name
> 5089    | 77.102.89.107    | NTL Virgin Media Limited     (8:26 GMT)
> 16276   | 176.31.97.12     | OVH OVH Systems              (8:26 GMT)
> 16276   | 91.121.195.217   | OVH OVH Systems              (10:53 GMT)
> 17676   | 126.131.124.76   | GIGAINFRA Softbank BB Corp.  (8:21 GMT)
> 
> 
> 
> 	---Mike
> 
> -- 
> -------------------
> Mike Tancsa, tel +1 519 651 3400
> Sentex Communications, mike at sentex.net
> Providing Internet services since 1994 www.sentex.net
> Cambridge, Ontario Canada   http://www.tancsa.com/
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

-- 
RuthAnne Bevier
Director, Information Security
California Institute of Technology
ruthanne at caltech.edu
626-395-2671

More information about the nsp-security mailing list