[nsp-sec] Odd packets from 255.127.0.0

Damian Menscher damian at google.com
Mon Oct 6 18:18:19 EDT 2014


On Mon, Oct 6, 2014 at 1:35 PM, Borja Marcos <BORJAMAR at sarenet.es> wrote:

> A friend has just told me that he had a server with a bot installed
> through a CGI exploted bash and it begun spewing lots of packets following
> this description and it seems it started around the same time (Oct 5th
> 21:00 - 21:30 UTC)
>
> Maybe some botched bot? I will try to get more data tomorrow.
>

We first saw this at 2014-10-05 21:02 UTC, and it was widespread by 21:12
(so, about 10-15 mins to propagate globally).

Regardless of the cause, this provides an interesting view into which ISPs
still aren't doing egress filtering in accordance with BCP38.  My top 10
abusers seen today:

174 - COGENT
20860 - IOMART-RAPIDSWITCH
4788 - TMNET
174 - COGENT [over another link]
23944 - SKYBB
45194 - SIPL
ANY2 peering exchange
9416 - MULTIMEDIA
9318 - HANARO
EQUINIX peering exchange

If we have people here from any of those places, they should take a serious
look at their configs.  (This isn't to say others are clean -- there's a
long tail of providers here and this is just the top 10 by packet count.)

Damian



More information about the nsp-security mailing list