[nsp-sec] Looking for a PoC at AS10439 - CariNet, Inc.
Mike Tancsa
mike at sentex.net
Wed Jul 8 15:16:04 EDT 2015
On 7/8/2015 12:43 PM, Dario Ciccarone wrote:
> ----------- nsp-security Confidential --------
>
> Based on analysis of the crash information, the traffic seems to be
> coming from address 71.6.142.125 - allocated to CariNet, Inc.
>
>
> http://whois.arin.net/rest/nets;q=71.6.142.125?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
>
> We completely understand this could be spoofed - however, we would
> like to reach out to CariNet, see if they have any knowledge of this
> activity.
I dont have a PoC, but some data points from my AS (11647)
We saw sweeps coming from that IP starting 02:40 GMT-4 (Eastern). It
came to us (AS11647) in via our TATA (6453 in Toronto), which is one AS
Hop farther than via our Cogent transit link (AS174). But we see their
network
174 10439
6453 174 10439
so I am not sure why we would see it come in via TATA instead of Cogent.
Of course there are scenarios where this is quite deliberate, but its odd.
Also, against the case for multiple sources spoofing the one IP, I dont
see it coming from multiple paths. Granted, we are a small network, but
I thought I would see some instances from different locations.
A snipped of the scan pattern looks as follows, starting from the first
packet from them.
StartTime SrcAddr DstAddr
07-08 02:40:05 71.6.142.125 64.7.136.186
07-08 02:40:10 71.6.142.125 64.7.136.160
07-08 02:42:14 71.6.142.125 64.7.143.126
07-08 02:42:13 71.6.142.125 64.7.147.30
07-08 02:42:25 71.6.142.125 98.159.241.87
07-08 02:42:25 71.6.142.125 98.159.241.87
07-08 02:42:16 71.6.142.125 64.7.147.126
07-08 02:42:18 71.6.142.125 64.7.147.174
07-08 02:42:20 71.6.142.125 64.7.147.164
07-08 02:42:30 71.6.142.125 64.7.143.122
07-08 02:42:25 71.6.142.125 64.7.147.120
07-08 02:42:36 71.6.142.125 64.7.143.73
07-08 02:42:26 71.6.142.125 64.7.147.70
07-08 02:42:30 71.6.142.125 64.7.147.150
07-08 02:42:31 71.6.142.125 64.7.147.87
07-08 02:42:41 71.6.142.125 98.159.241.83
07-08 02:42:41 71.6.142.125 98.159.241.83
07-08 02:42:33 71.6.142.125 64.7.147.122
07-08 02:42:34 71.6.142.125 64.7.147.96
07-08 02:42:34 71.6.142.125 64.7.147.180
07-08 02:42:35 71.6.142.125 64.7.147.102
07-08 02:42:44 71.6.142.125 64.7.143.111
07-08 02:42:44 71.6.142.125 64.7.143.111
07-08 02:42:36 71.6.142.125 64.7.147.83
07-08 02:42:38 71.6.142.125 64.7.147.73
07-08 02:42:39 71.6.142.125 64.7.147.186
07-08 02:42:39 71.6.142.125 64.7.147.52
07-08 02:42:39 71.6.142.125 64.7.147.99
07-08 02:42:40 71.6.142.125 64.7.147.63
07-08 02:42:42 71.6.142.125 64.7.147.163
07-08 02:42:42 71.6.142.125 64.7.147.173
07-08 02:42:42 71.6.142.125 64.7.147.39
07-08 02:42:46 71.6.142.125 64.7.147.111
07-08 02:42:46 71.6.142.125 64.7.147.158
07-08 02:42:48 71.6.142.125 64.7.147.192
07-08 02:42:49 71.6.142.125 64.7.147.34
07-08 02:42:50 71.6.142.125 64.7.147.147
07-08 02:43:02 71.6.142.125 64.7.146.248
07-08 02:43:02 71.6.142.125 64.7.143.155
07-08 02:42:53 71.6.142.125 64.7.147.129
07-08 02:42:56 71.6.142.125 64.7.147.170
07-08 02:42:57 71.6.142.125 64.7.147.23
07-08 02:42:58 71.6.142.125 64.7.143.143
07-08 02:42:58 71.6.142.125 64.7.147.143
07-08 02:43:08 71.6.142.125 64.7.143.108
07-08 02:43:08 71.6.142.125 64.7.143.108
07-08 02:43:00 71.6.142.125 64.7.147.178
07-08 02:43:00 71.6.142.125 64.7.147.195
07-08 02:43:01 71.6.142.125 64.7.147.184
07-08 02:43:10 71.6.142.125 64.7.143.109
07-08 02:43:10 71.6.142.125 64.7.143.109
07-08 02:43:11 71.6.142.125 64.7.143.119
07-08 02:43:05 71.6.142.125 64.7.147.32
07-08 02:43:05 71.6.142.125 64.7.147.155
07-08 02:43:07 71.6.142.125 64.7.147.176
07-08 02:43:07 71.6.142.125 64.7.146.236
07-08 02:43:09 71.6.142.125 64.7.147.18
07-08 02:43:19 71.6.142.125 64.7.146.237
07-08 02:43:19 71.6.142.125 64.7.143.115
07-08 02:43:10 71.6.142.125 64.7.147.108
07-08 02:43:11 71.6.142.125 64.7.147.44
07-08 02:43:11 71.6.142.125 64.7.147.38
07-08 02:43:21 71.6.142.125 64.7.143.116
07-08 02:43:21 71.6.142.125 64.7.143.145
07-08 02:43:13 71.6.142.125 64.7.147.109
07-08 02:43:13 71.6.142.125 64.7.147.119
07-08 02:43:24 71.6.142.125 64.7.143.106
07-08 02:43:24 71.6.142.125 64.7.143.106
07-08 02:43:26 71.6.142.125 67.43.143.32
07-08 02:43:18 71.6.142.125 64.7.147.22
07-08 02:43:21 71.6.142.125 64.7.147.115
07-08 02:43:22 71.6.142.125 64.7.147.95
07-08 02:43:23 71.6.142.125 64.7.147.145
07-08 02:43:23 71.6.142.125 64.7.147.116
07-08 02:43:26 71.6.142.125 64.7.147.106
07-08 02:43:27 71.6.142.125 64.7.147.68
07-08 02:43:36 71.6.142.125 64.7.147.25
07-08 02:43:49 71.6.142.125 98.159.245.244
07-08 02:43:50 71.6.142.125 98.159.245.169
07-08 02:43:45 71.6.142.125 64.7.147.123
07-08 02:43:54 71.6.142.125 98.159.245.185
07-08 02:43:56 71.6.142.125 98.159.245.233
07-08 02:43:59 71.6.142.125 98.159.245.144
07-08 02:43:59 71.6.142.125 98.159.245.167
07-08 02:43:53 71.6.142.125 64.7.147.31
07-08 02:44:04 71.6.142.125 98.159.245.253
07-08 02:44:13 71.6.142.125 98.159.245.223
07-08 02:44:13 71.6.142.125 98.159.245.155
07-08 02:44:15 71.6.142.125 98.159.245.149
07-08 02:44:17 71.6.142.125 98.159.245.239
07-08 02:44:18 71.6.142.125 98.159.245.231
07-08 02:44:19 71.6.142.125 98.159.245.157
07-08 02:44:19 71.6.142.125 98.159.245.234
07-08 02:44:20 71.6.142.125 98.159.245.206
07-08 02:44:22 71.6.142.125 98.159.245.214
07-08 02:44:23 71.6.142.125 98.159.245.237
07-08 02:44:24 71.6.142.125 98.159.245.196
07-08 02:44:26 71.6.142.125 98.159.245.228
07-08 02:44:27 71.6.142.125 98.159.245.249
07-08 02:44:27 71.6.142.125 98.159.245.247
07-08 02:44:27 71.6.142.125 98.159.245.178
07-08 02:44:29 71.6.142.125 98.159.245.173
07-08 02:44:29 71.6.142.125 98.159.245.212
07-08 02:44:30 71.6.142.125 98.159.245.236
07-08 02:44:31 71.6.142.125 98.159.245.209
07-08 02:44:31 71.6.142.125 98.159.245.220
07-08 02:44:34 71.6.142.125 98.159.245.252
07-08 02:44:36 71.6.142.125 98.159.245.240
07-08 02:44:38 71.6.142.125 98.159.245.166
07-08 02:44:39 71.6.142.125 98.159.245.148
07-08 02:44:40 71.6.142.125 67.43.140.207
07-08 02:44:42 71.6.142.125 98.159.245.132
07-08 02:44:44 71.6.142.125 98.159.245.116
07-08 02:44:48 71.6.142.125 67.43.140.226
07-08 02:44:48 71.6.142.125 98.159.245.241
07-08 02:44:49 71.6.142.125 98.159.245.248
07-08 02:44:51 71.6.142.125 67.43.140.254
07-08 02:44:52 71.6.142.125 67.43.140.92
07-08 02:44:52 71.6.142.125 98.159.245.187
07-08 02:44:54 71.6.142.125 67.43.140.238
07-08 02:44:55 71.6.142.125 67.43.140.214
07-08 02:44:55 71.6.142.125 67.43.140.150
07-08 02:44:56 71.6.142.125 67.43.140.166
07-08 02:44:57 71.6.142.125 67.43.140.125
07-08 02:44:58 71.6.142.125 98.159.245.221
07-08 02:44:59 71.6.142.125 67.43.140.218
07-08 02:44:59 71.6.142.125 98.159.245.143
07-08 02:44:59 71.6.142.125 67.43.140.191
07-08 02:44:59 71.6.142.125 67.43.140.245
07-08 02:45:00 71.6.142.125 98.159.245.175
07-08 02:45:00 71.6.142.125 98.159.245.219
07-08 02:45:00 71.6.142.125 67.43.140.69
I dont see an obvious pattern. It doesnt seem to start on our network
boundaries either.... Taking the first 1000 entries and sorting them,
they are not totally sequential. It could just be they maxed their
outbound limits, so packets are being dropped, or multiple scanners
behind a single nat source ?
Looking at the ephemeral ports, I see
% ra -nr /tmp/attacker.arg -ssport - udp | sort | uniq -c
1 Sport
2 39368
9213 57572
Almost all with a source port of 57572 and just two with 39368 ?!?
StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport TotPkts TotBytes State
07-08 02:58* eU udp 71.6.142.125.57572 <->
64.7.140.62.500 2 142 CON
07-08 02:58* e icmp 71.6.142.125.0x0303 ->
64.7.140.62.0xe4e0 1 110 URP
07-08 03:12* e udp 71.6.142.125.39368 <->
64.7.140.62.500 3 710 CON
07-08 03:13* e udp 71.6.142.125.39368 <-
64.7.140.62.500 1 166 RSP
So they hit 64.7.140.62 at 02:58, get a response, and then at 03:12, it
seems another process based on the different source port, hits
64.7.140.62 again.
I would guess based on that, its not spoofed.
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the nsp-security
mailing list