[nsp-sec] udp (not tcp) port 22 traffic ?
Yiming Gong
yiming.gong at xo.com
Fri Dec 30 15:05:56 EST 2011
I took a closer look and noticed of the 715 scanners i got, only 16 of
them have also scanned other ports in the last 10 days, so 699 hosts
only scanned udp port 22.
Yiming
On 12/30/2011 01:31 PM, Yiming Gong wrote:
> ----------- nsp-security Confidential --------
>
> Here is the data from my darknet of udp 22 scan for the past 10 days,
> totally together there were 700rish distinct IPs.
>
> +------------+-----------------+
> | date | distinct source |
> +------------+-----------------+
> | 2011-12-21 | 269 |
> | 2011-12-22 | 465 |
> | 2011-12-23 | 445 |
> | 2011-12-24 | 449 |
> | 2011-12-25 | 369 |
> | 2011-12-26 | 457 |
> | 2011-12-27 | 512 |
> | 2011-12-28 | 406 |
> | 2011-12-29 | 491 |
> | 2011-12-30 | 348 |
> +------------+-----------------+
>
> and 3 out of 4 of your big scanners are also showing up in my database.
>
> Yiming
>
>
>
> On 12/30/2011 11:12 AM, Mike Tancsa wrote:
>> ----------- nsp-security Confidential --------
>>
>> I am seeing a sudden uptick in udp port 22 scanning from a number of
>> hosts around the net. Anyone know what they are after ? The only ref
>> I could find was for old PCAnywhere installs, but its hard to imagine
>> there would be many of those.
>>
>> e.g. Dec 1st, I saw 96 records into part of my AS for UDP port 22
>>
>> On the 20th, 2,194 entries to the same subset, yesterday ~ 1600
>>
>> Lengths are generally under 200 bytes. Here is one snippet. Some of
>> it is to darkspace in my network, but not all. There does seem to be
>> some bit torrent traffic in some of the packets, but not the ones
>> doing the scanning from what I can tell so far. Some hosts will
>> scan a few /24s worth of IPs, others, just a dozen.
>>
>> 11:26:26.048909 IP 118.104.73.202.63185> 67.43.143.210.22: UDP,
>> length 194
>> 0x0000: 4500 00de 002f 0000 6d11 b9b0 7668 49ca
>> E..../..m...vhI.
>> 0x0010: 432b 8fd2 f6d1 0016 00ca 71b5 8f3e fc72
>> C+........q..>.r
>> 0x0020: 43f6 00bd d0bb 17f6 11a2 0aee 41c0 b01b
>> C...........A...
>> 0x0030: c3a1 78d8 eef9 6fc0 3a30 efc6 ffd7 fdb8
>> ..x...o.:0......
>> 0x0040: ac59 24bd acb6 7d24 3c58 a084 be49 8ca0
>> .Y$...}$<X...I..
>> 0x0050: 2650 96c6 e902 7927 6bf7 3cdf 68b3
>> ba86&P....y'k.<.h...
>> 0x0060: 0bf6 571f 5e77 c827 8185 e00e ed0f 0fc4
>> ..W.^w.'........
>> 0x0070: fa83 8e74 53d7 b03f 9255 df79 c89e 7098
>> ...tS..?.U.y..p.
>> 0x0080: 4b8e 64b9 49ed 8c23 5eb1 7cdb 25f4 8be7
>> K.d.I..#^.|.%...
>> 0x0090: d766 0c04 b3c0 6297 30d9 a6c1 51f0 454d
>> .f....b.0...Q.EM
>> 0x00a0: 0d31 ee7d cc2a b770 a975 b87e da09 0ed4
>> .1.}.*.p.u.~....
>> 0x00b0: 283b 9ccc 1be7 b91c 7c95 a7e7 d5ee 73ae
>> (;......|.....s.
>> 0x00c0: 7018 8709 9857 6d70 6e3b 0b94 e917 385c
>> p....Wmpn;....8\
>> 0x00d0: b305 e6d8 d6de 71d3 0471 717e 0ac2
>> ......q..qq~..
>> 11:26:26.159270 IP 118.104.73.202.63185> 67.43.143.211.22: UDP,
>> length 194
>> 0x0000: 4500 00de 0040 0000 6d11 b99e 7668 49ca
>> E.... at ..m...vhI.
>> 0x0010: 432b 8fd3 f6d1 0016 00ca f408 a379 c019
>> C+...........y..
>> 0x0020: 25be 75c6 abdb 09bc 7299 975c 6d07 dc78
>> %.u.....r..\m..x
>> 0x0030: dfb3 3928 cf2d a0a3 9f9a bfc8 983d 92d7
>> ..9(.-.......=..
>> 0x0040: 3c52 2c89 cf9c e369 26c7 2d6e 358f
>> e23e<R,....i&.-n5..>
>> 0x0050: e769 4c1f 28de c4a8 990a 9657 d82d b370
>> .iL.(......W.-.p
>> 0x0060: cfaf ba54 2a06 5fa6 9943 5124 b050 387a
>> ...T*._..CQ$.P8z
>> 0x0070: c782 6611 7799 47af 4c21 9a61 5234 43d4
>> ..f.w.G.L!.aR4C.
>> 0x0080: 55f4 c736 af92 2d86 90b4 d1cc 163f dd66
>> U..6..-......?.f
>> 0x0090: c814 c0b3 2c10 8696 ec76 c6c8 b3f5 7bac
>> ....,....v....{.
>> 0x00a0: 91cc 7b32 3c89 8921 55ae d6a9 f1ad 3494
>> ..{2<..!U.....4.
>> 0x00b0: 9d59 504e fc03 aeda 2f9f 8fe6 cacc 028d
>> .YPN..../.......
>> 0x00c0: 91fd 5fee 8a4d 4342 04ba 003c fb5a a822
>> .._..MCB...<.Z."
>> 0x00d0: 7c04 2905 0f86 83aa 7605 4459 9cba
>> |.).....v.DY..
>> 11:26:26.542689 IP 118.104.73.202.63185> 67.43.143.214.22: UDP,
>> length 194
>> 0x0000: 4500 00de 005d 0000 6d11 b97e 7668 49ca
>> E....]..m..~vhI.
>> 0x0010: 432b 8fd6 f6d1 0016 00ca 1e87 2f0e 9694
>> C+........../...
>> 0x0020: df5a 2e62 3be3 5b43 dcb1 bdbd 3f21 3458
>> .Z.b;.[C....?!4X
>> 0x0030: bf5d ace7 9270 0dc5 c8d1 4116 1d2b 60bd
>> .]...p....A..+`.
>> 0x0040: 87a9 fa70 dce7 604b 0ecd 5b68 c6ab 51f0
>> ...p..`K..[h..Q.
>> 0x0050: d194 8c13 bdaa b9ba eb18 8188 02bb 144a
>> ...............J
>> 0x0060: 55a5 23db 9938 933b ff2e fa34 3df9 c3b8
>> U.#..8.;...4=...
>> 0x0070: d49c db19 1e4f 212d 3d81 c1d1 c0e8 7b67
>> .....O!-=.....{g
>> 0x0080: bfc3 6672 09ca eb0f c066 5b98 94db 6191
>> ..fr.....f[...a.
>> 0x0090: d61e a519 f892 cade 2300 ceb9 3715 c132
>> ........#...7..2
>> 0x00a0: ae3e da4e 3410 41cc 5ebb 51a6 5061 462a
>> .>.N4.A.^.Q.PaF*
>> 0x00b0: a2ce 0d0c 119e a042 9e25 9832 9ce2 c07e
>> .......B.%.2...~
>> 0x00c0: bf0f 10d1 53d7 463a 9365 475a f23e dbc0
>> ....S.F:.eGZ.>..
>> 0x00d0: 3131 bc65 dfaf 3ac8 e3ba 9ffc b2da
>> 11.e..:.......
>>
>>
>> A few of the big scanners from Dec 29th are
>>
>> AS | IP | AS Name
>> 5089 | 77.102.89.107 | NTL Virgin Media Limited (8:26 GMT)
>> 16276 | 176.31.97.12 | OVH OVH Systems (8:26 GMT)
>> 16276 | 91.121.195.217 | OVH OVH Systems (10:53 GMT)
>> 17676 | 126.131.124.76 | GIGAINFRA Softbank BB Corp. (8:21 GMT)
>>
>>
>>
>> ---Mike
>>
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet
> security counter-measures.
> _______________________________________________
>
> .
>
More information about the nsp-security
mailing list