[nsp-sec] Odd packets from 255.127.0.0

[Borja Marcos]

On 06/10/2014, at 20:10, Mike Tancsa <mike at sentex.net> wrote:

> ----------- nsp-security Confidential --------
> I think for me, its the src addr thats oddly specific and novel. But I guess thats just a symptom of the larger issue?

Yes, and how it has begun suddenly.
> 
> Looking a little more, there seems to be a marked jump in tcp port 0 traffic coming into my AS.  On one segment I had a look at shows quite an increase starting yesterday and continuing today.
> 
> Date 	port 0
> 	TCP pkts
> 03 	   29,021
> 04	   20,573
> 05	2,259,555
> 06 	2,926,453


I have a store of darknet traffic (two /23 prefixes). Checking year 2014 for traffic with a source address belonging to 240.0.0.0/4 I get these packet counts:

   2 2014-05-17
   2 2014-05-20
  31 2014-05-21
  53 2014-05-23
   2 2014-07-08
 141 2014-07-18
  81 2014-07-19
 166 2014-07-20
   8 2014-07-21
  18 2014-07-31
  36 2014-08-01
  92 2014-08-02
  55 2014-08-04
  18 2014-08-05
  43 2014-08-06
  18 2014-08-07
   8 2014-08-08
  28 2014-08-09
  24 2014-08-10
19777 2014-10-05
70534 2014-10-06

A friend has just told me that he had a server with a bot installed through a CGI exploted bash and it begun spewing lots of packets following this description and it seems it started around the same time (Oct 5th 21:00 - 21:30 UTC)

Maybe some botched bot? I will try to get more data tomorrow.





Borja.


This is what I see (1/1000 sampling, traffic to our AS3262)