[nsp-sec] huge spikes in tcp 53. rackspace owns one of the ddos victims:(
King, Link
Link.King at neustar.com
Wed Mar 16 18:53:35 EDT 2011
>
>
>
>I see a HUGE uptick on tcp 53 on feb 26th
>http://isc.sans.edu/port.html?port=53
>date records targets sources tcpratio
>2011-02-26 171950 65816 6908 51
>
>Up till that point it was nearly all udp 53 being reported.
>
>
>So I did a 8 week and 52 week graph from our netflow system (arbor) on
>tcp 53.
>
>On the 8 week graph you will see a HUGE increase (from ~0Mbs to 800Mbs of
>tcp 53) on January 23rd or so and another on March 10th or so.
>
>So something out there is doing very bursty tcp 53 connections/scans.
># IP
>1263 61.161.141.4
> 841 76.74.170.250
> 797 76.74.170.249
> 797 76.74.170.243
> 791 76.74.170.245
> 706 76.74.170.244
> 705 76.74.170.248
> 703 76.74.170.246
>
I took a quick look at our recursive traffic and noticed this from the
Adobe IP's above (one example):
22:39:22.894763 IP 76.74.170.243.4669 > 204.74.103.146.53: S
211873738:211873738(0) win 2048
22:39:22.894829 IP 204.74.103.146.53 > 76.74.170.243.4669: S
3914357935:3914357935(0) ack 211873739 win 5840 <mss 1460>
22:39:22.962965 IP 76.74.170.243.4669 > 204.74.103.146.53: R
211873739:211873739(0) win 0
22:39:22.966669 IP 76.74.170.243.4737 > 204.74.103.146.53: S
4051229293:4051229293(0) win 2048
22:39:22.966736 IP 204.74.103.146.53 > 76.74.170.243.4737: S
3900807425:3900807425(0) ack 4051229294 win 5840 <mss 1460>
22:39:23.035276 IP 76.74.170.243.4737 > 204.74.103.146.53: R
4051229294:4051229294(0) win 0
22:39:23.035856 IP 76.74.170.243.4794 > 204.74.103.146.53: S
2449220345:2449220345(0) win 2048
22:39:23.035954 IP 204.74.103.146.53 > 76.74.170.243.4794: S
3908594633:3908594633(0) ack 2449220346 win 5840 <mss 1460>
22:39:23.104104 IP 76.74.170.243.4794 > 204.74.103.146.53: R
2449220346:2449220346(0) win 0
Small bursts like that. Seems to RST immediately and then initiate a new
connection. It does repeat but thus far not in any sort of predictable
fashion (from 1 to 7 minutes). Simple port monitor/scan of some sort?
--
Link King
link.king at neustar.com
More information about the nsp-security
mailing list