[nsp-sec] Packetlove from AS702 / 212.157.2.130
Serge Droz
serge.droz at switch.ch
Thu Jun 30 15:49:53 EDT 2011
Hi Robert, all
Any progress on this IP? We still see around 4-7 bps coming from this
address. Since it's we;re dealing with UDP, this coud be spoofed
traffic. Butt we only see this coming in on one of our border routes, so
the spoofing, if any, has to take place further upstream.
Any help is appreciated.
Cheers
Serge
On 06/29/2011 05:49 PM, Robert wrote:
> ----------- nsp-security Confidential --------
>
> ACK
>
> Robert
> Verizon AS702
>
> On 06/29/2011 09:31 AM, Serge Droz wrote:
>> ----------- nsp-security Confidential --------
>>
>> Hello List,
>>
>> we're getting some packet love since mid-afternoon from 212.157.2.130.
>> Any help is appreciated.
>>
>>> Top 10 flows ordered by flows:
>>> Date flow start Duration Proto Src IP Addr Dst IP Addr Dst Pt Packets Bytes bps Bpp Flows
>>> 2011-06-29 05:03:04.805 304.165 UDP 212.157.2.130 152.96.109.99 57327 1.8 M 278.7 M 7.3 M 152 195
>>
>> ...
>>
>>> Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
>>> 2011-06-29 15:04:59.696 304.000 UDP 212.157.2.130:2371 -> 152.96.109.99:57327 6152 935104 1
>>> 2011-06-29 15:06:43.684 304.000 UDP 212.157.2.130:2163 -> 152.96.109.99:57327 6164 936928 1
>>> 2011-06-29 15:06:43.684 304.000 UDP 212.157.2.130:2078 -> 152.96.109.99:57327 6171 937992 1
>>> 2011-06-29 15:06:43.684 304.000 UDP 212.157.2.130:2329 -> 152.96.109.99:57327 5867 891784 1
>>> 2011-06-29 15:06:43.684 304.000 UDP 212.157.2.130:2303 -> 152.96.109.99:57327 5828 885856 1
>>> 2011-06-29 15:06:43.684 303.936 UDP 212.157.2.130:2132 -> 152.96.109.99:57327 6104 927808 1
>>> 2011-06-29 15:06:43.684 303.936 UDP 212.157.2.130:2229 -> 152.96.109.99:57327 6137 932824 1
>>> 2011-06-29 15:06:43.684 304.000 UDP 212.157.2.130:2276 -> 152.96.109.99:57327 6045 918840 1
>>> 2011-06-29 15:06:43.684 304.000 UDP 212.157.2.130:2239 -> 152.96.109.99:57327 5946 903792 1
>>> 2011-06-29 15:06:43.684 304.000 UDP 212.157.2.130:2241 -> 152.96.109.99:57327 5949 904248 1
>>> 2011-06-29 15:06:43.684 303.936 UDP 212.157.2.130:2093 -> 152.96.109.99:57327 6000 912000 1
>>> 2011-06-29 15:06:43.684 304.000 UDP 212.157.2.130:2184 -> 152.96.109.99:57327 6164 936928 1
>>> 2011-06-29 15:06:43.684 304.000 UDP 212.157.2.130:2272 -> 152.96.109.99:57327 6108 928416 1
>>> 2011-06-29 15:06:43.684 304.000 UDP 212.157.2.130:2325 -> 152.96.109.99:57327 5861 890872 1
>>> 2011-06-29 15:06:43.684 304.000 UDP 212.157.2.130:2344 -> 152.96.109.99:57327 6067 922184 1
>>> 2011-06-29 15:06:43.683 304.000 UDP 212.157.2.130:2127 -> 152.96.109.99:57327 6179 939208 1
>>> 2011-06-29 15:06:43.683 304.000 UDP 212.157.2.130:2282 -> 152.96.109.99:57327 6093 926136 1
>>> 2011-06-29 15:06:43.683 304.000 UDP 212.157.2.130:2319 -> 152.96.109.99:57327 6173 938296 1
>>> 2011-06-29 15:06:43.683 304.000 UDP 212.157.2.130:2203 -> 152.96.109.99:57327 6085 924920 1
>>
>> Any help is appreciated
>>
>> Thanks a lot
>> Serge
>>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
--
SWITCH
Serving Swiss Universities
--------------------------
Serge Droz, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 63, fax +41 44 268 15 78
serge.droz at switch.ch, http://www.switch.ch
More information about the nsp-security
mailing list