[nsp-sec] Odd packets from 255.127.0.0

Schiel, John John.Schiel at twtelecom.com
Mon Oct 6 16:39:51 EDT 2014 


> -----Original Message-----
> From: nsp-security [mailto:nsp-security-bounces at puck.nether.net] On Behalf
> Of Borja Marcos
> Sent: Monday, October 06, 2014 2:36 PM
> To: Mike Tancsa
> Cc: nsp-security NSP
> Subject: Re: [nsp-sec] Odd packets from 255.127.0.0
>
> ----------- nsp-security Confidential --------
>
>
> On 06/10/2014, at 20:10, Mike Tancsa <mike at sentex.net> wrote:
>
> > ----------- nsp-security Confidential -------- I think for me, its the
> > src addr thats oddly specific and novel. But I guess thats just a symptom of
> the larger issue?
>
> Yes, and how it has begun suddenly.
> >
> > Looking a little more, there seems to be a marked jump in tcp port 0 traffic
> coming into my AS.  On one segment I had a look at shows quite an increase
> starting yesterday and continuing today.
> >
> > Date        port 0
> >     TCP pkts
> > 03     29,021
> > 04     20,573
> > 05  2,259,555
> > 06  2,926,453
>
>
> I have a store of darknet traffic (two /23 prefixes). Checking year 2014 for
> traffic with a source address belonging to 240.0.0.0/4 I get these packet
> counts:
>
>    2 2014-05-17
>    2 2014-05-20
>   31 2014-05-21
>   53 2014-05-23
>    2 2014-07-08
>  141 2014-07-18
>   81 2014-07-19
>  166 2014-07-20
>    8 2014-07-21
>   18 2014-07-31
>   36 2014-08-01
>   92 2014-08-02
>   55 2014-08-04
>   18 2014-08-05
>   43 2014-08-06
>   18 2014-08-07
>    8 2014-08-08
>   28 2014-08-09
>   24 2014-08-10
> 19777 2014-10-05
> 70534 2014-10-06
>
> A friend has just told me that he had a server with a bot installed through a
> CGI exploted bash and it begun spewing lots of packets following this
> description and it seems it started around the same time (Oct 5th 21:00 -
> 21:30 UTC)
>

I'm seeing traffic from this timeframe also.

--John

> Maybe some botched bot? I will try to get more data tomorrow.
>
>
>
>
>
> Borja.
>
>
> This is what I see (1/1000 sampling, traffic to our AS3262)
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-
> measures.
> _______________________________________________


-------------



The content contained in this electronic message is not intended to constitute formation of a contract binding tw telecom. tw telecom will be contractually bound only upon execution, by an authorized officer, of a contract including agreed terms and conditions or by express application of its tariffs. This message is intended only for the use of the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender of this E-Mail or by telephone.

More information about the nsp-security mailing list