[nsp-sec] Looking for a PoC at AS10439 - CariNet, Inc.
Dario Ciccarone
dciccaro at cisco.com
Wed Jul 8 15:27:41 EDT 2015
Thanks, Mike, for taking the time to send this along - it is sincerely
appreciated.
To close the loop - we were able to find a PoC at CariNet, Inc. We spoke
with Zachary Wikholm, their head of security - they were aware of the
issue, and had already taken steps to block the source of the traffic.
Based on evidence, this was not a malicious attempt to exploit the
vulnerability on the ASA - but just one of the many scanning projects
going on these days, looking for IKE speakers.
FWIW, the engagement and level of support we got from CariNet, Inc. has
been outstanding. Also thanks to the nsp-sec community (including those
that unicasted) for their help and suppport on this matter.
We will be updating the public advisory with this information, so
customers are aware of it.
Thanks,
Dario
On 7/8/15 3:16 PM, Mike Tancsa wrote:
> On 7/8/2015 12:43 PM, Dario Ciccarone wrote:
>> ----------- nsp-security Confidential --------
>>
>> Based on analysis of the crash information, the traffic seems to be
>> coming from address 71.6.142.125 - allocated to CariNet, Inc.
>>
>>
>> http://whois.arin.net/rest/nets;q=71.6.142.125?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
>>
>> We completely understand this could be spoofed - however, we would
>> like to reach out to CariNet, see if they have any knowledge of this
>> activity.
> I dont have a PoC, but some data points from my AS (11647)
>
>
> We saw sweeps coming from that IP starting 02:40 GMT-4 (Eastern). It
> came to us (AS11647) in via our TATA (6453 in Toronto), which is one AS
> Hop farther than via our Cogent transit link (AS174). But we see their
> network
>
> 174 10439
> 6453 174 10439
>
> so I am not sure why we would see it come in via TATA instead of Cogent.
> Of course there are scenarios where this is quite deliberate, but its odd.
>
> Also, against the case for multiple sources spoofing the one IP, I dont
> see it coming from multiple paths. Granted, we are a small network, but
> I thought I would see some instances from different locations.
>
> A snipped of the scan pattern looks as follows, starting from the first
> packet from them.
>
> StartTime SrcAddr DstAddr
> 07-08 02:40:05 71.6.142.125 64.7.136.186
> 07-08 02:40:10 71.6.142.125 64.7.136.160
> 07-08 02:42:14 71.6.142.125 64.7.143.126
> 07-08 02:42:13 71.6.142.125 64.7.147.30
> 07-08 02:42:25 71.6.142.125 98.159.241.87
> 07-08 02:42:25 71.6.142.125 98.159.241.87
> 07-08 02:42:16 71.6.142.125 64.7.147.126
> 07-08 02:42:18 71.6.142.125 64.7.147.174
> 07-08 02:42:20 71.6.142.125 64.7.147.164
> 07-08 02:42:30 71.6.142.125 64.7.143.122
> 07-08 02:42:25 71.6.142.125 64.7.147.120
> 07-08 02:42:36 71.6.142.125 64.7.143.73
> 07-08 02:42:26 71.6.142.125 64.7.147.70
> 07-08 02:42:30 71.6.142.125 64.7.147.150
> 07-08 02:42:31 71.6.142.125 64.7.147.87
> 07-08 02:42:41 71.6.142.125 98.159.241.83
> 07-08 02:42:41 71.6.142.125 98.159.241.83
> 07-08 02:42:33 71.6.142.125 64.7.147.122
> 07-08 02:42:34 71.6.142.125 64.7.147.96
> 07-08 02:42:34 71.6.142.125 64.7.147.180
> 07-08 02:42:35 71.6.142.125 64.7.147.102
> 07-08 02:42:44 71.6.142.125 64.7.143.111
> 07-08 02:42:44 71.6.142.125 64.7.143.111
> 07-08 02:42:36 71.6.142.125 64.7.147.83
> 07-08 02:42:38 71.6.142.125 64.7.147.73
> 07-08 02:42:39 71.6.142.125 64.7.147.186
> 07-08 02:42:39 71.6.142.125 64.7.147.52
> 07-08 02:42:39 71.6.142.125 64.7.147.99
> 07-08 02:42:40 71.6.142.125 64.7.147.63
> 07-08 02:42:42 71.6.142.125 64.7.147.163
> 07-08 02:42:42 71.6.142.125 64.7.147.173
> 07-08 02:42:42 71.6.142.125 64.7.147.39
> 07-08 02:42:46 71.6.142.125 64.7.147.111
> 07-08 02:42:46 71.6.142.125 64.7.147.158
> 07-08 02:42:48 71.6.142.125 64.7.147.192
> 07-08 02:42:49 71.6.142.125 64.7.147.34
> 07-08 02:42:50 71.6.142.125 64.7.147.147
> 07-08 02:43:02 71.6.142.125 64.7.146.248
> 07-08 02:43:02 71.6.142.125 64.7.143.155
> 07-08 02:42:53 71.6.142.125 64.7.147.129
> 07-08 02:42:56 71.6.142.125 64.7.147.170
> 07-08 02:42:57 71.6.142.125 64.7.147.23
> 07-08 02:42:58 71.6.142.125 64.7.143.143
> 07-08 02:42:58 71.6.142.125 64.7.147.143
> 07-08 02:43:08 71.6.142.125 64.7.143.108
> 07-08 02:43:08 71.6.142.125 64.7.143.108
> 07-08 02:43:00 71.6.142.125 64.7.147.178
> 07-08 02:43:00 71.6.142.125 64.7.147.195
> 07-08 02:43:01 71.6.142.125 64.7.147.184
> 07-08 02:43:10 71.6.142.125 64.7.143.109
> 07-08 02:43:10 71.6.142.125 64.7.143.109
> 07-08 02:43:11 71.6.142.125 64.7.143.119
> 07-08 02:43:05 71.6.142.125 64.7.147.32
> 07-08 02:43:05 71.6.142.125 64.7.147.155
> 07-08 02:43:07 71.6.142.125 64.7.147.176
> 07-08 02:43:07 71.6.142.125 64.7.146.236
> 07-08 02:43:09 71.6.142.125 64.7.147.18
> 07-08 02:43:19 71.6.142.125 64.7.146.237
> 07-08 02:43:19 71.6.142.125 64.7.143.115
> 07-08 02:43:10 71.6.142.125 64.7.147.108
> 07-08 02:43:11 71.6.142.125 64.7.147.44
> 07-08 02:43:11 71.6.142.125 64.7.147.38
> 07-08 02:43:21 71.6.142.125 64.7.143.116
> 07-08 02:43:21 71.6.142.125 64.7.143.145
> 07-08 02:43:13 71.6.142.125 64.7.147.109
> 07-08 02:43:13 71.6.142.125 64.7.147.119
> 07-08 02:43:24 71.6.142.125 64.7.143.106
> 07-08 02:43:24 71.6.142.125 64.7.143.106
> 07-08 02:43:26 71.6.142.125 67.43.143.32
> 07-08 02:43:18 71.6.142.125 64.7.147.22
> 07-08 02:43:21 71.6.142.125 64.7.147.115
> 07-08 02:43:22 71.6.142.125 64.7.147.95
> 07-08 02:43:23 71.6.142.125 64.7.147.145
> 07-08 02:43:23 71.6.142.125 64.7.147.116
> 07-08 02:43:26 71.6.142.125 64.7.147.106
> 07-08 02:43:27 71.6.142.125 64.7.147.68
> 07-08 02:43:36 71.6.142.125 64.7.147.25
> 07-08 02:43:49 71.6.142.125 98.159.245.244
> 07-08 02:43:50 71.6.142.125 98.159.245.169
> 07-08 02:43:45 71.6.142.125 64.7.147.123
> 07-08 02:43:54 71.6.142.125 98.159.245.185
> 07-08 02:43:56 71.6.142.125 98.159.245.233
> 07-08 02:43:59 71.6.142.125 98.159.245.144
> 07-08 02:43:59 71.6.142.125 98.159.245.167
> 07-08 02:43:53 71.6.142.125 64.7.147.31
> 07-08 02:44:04 71.6.142.125 98.159.245.253
> 07-08 02:44:13 71.6.142.125 98.159.245.223
> 07-08 02:44:13 71.6.142.125 98.159.245.155
> 07-08 02:44:15 71.6.142.125 98.159.245.149
> 07-08 02:44:17 71.6.142.125 98.159.245.239
> 07-08 02:44:18 71.6.142.125 98.159.245.231
> 07-08 02:44:19 71.6.142.125 98.159.245.157
> 07-08 02:44:19 71.6.142.125 98.159.245.234
> 07-08 02:44:20 71.6.142.125 98.159.245.206
> 07-08 02:44:22 71.6.142.125 98.159.245.214
> 07-08 02:44:23 71.6.142.125 98.159.245.237
> 07-08 02:44:24 71.6.142.125 98.159.245.196
> 07-08 02:44:26 71.6.142.125 98.159.245.228
> 07-08 02:44:27 71.6.142.125 98.159.245.249
> 07-08 02:44:27 71.6.142.125 98.159.245.247
> 07-08 02:44:27 71.6.142.125 98.159.245.178
> 07-08 02:44:29 71.6.142.125 98.159.245.173
> 07-08 02:44:29 71.6.142.125 98.159.245.212
> 07-08 02:44:30 71.6.142.125 98.159.245.236
> 07-08 02:44:31 71.6.142.125 98.159.245.209
> 07-08 02:44:31 71.6.142.125 98.159.245.220
> 07-08 02:44:34 71.6.142.125 98.159.245.252
> 07-08 02:44:36 71.6.142.125 98.159.245.240
> 07-08 02:44:38 71.6.142.125 98.159.245.166
> 07-08 02:44:39 71.6.142.125 98.159.245.148
> 07-08 02:44:40 71.6.142.125 67.43.140.207
> 07-08 02:44:42 71.6.142.125 98.159.245.132
> 07-08 02:44:44 71.6.142.125 98.159.245.116
> 07-08 02:44:48 71.6.142.125 67.43.140.226
> 07-08 02:44:48 71.6.142.125 98.159.245.241
> 07-08 02:44:49 71.6.142.125 98.159.245.248
> 07-08 02:44:51 71.6.142.125 67.43.140.254
> 07-08 02:44:52 71.6.142.125 67.43.140.92
> 07-08 02:44:52 71.6.142.125 98.159.245.187
> 07-08 02:44:54 71.6.142.125 67.43.140.238
> 07-08 02:44:55 71.6.142.125 67.43.140.214
> 07-08 02:44:55 71.6.142.125 67.43.140.150
> 07-08 02:44:56 71.6.142.125 67.43.140.166
> 07-08 02:44:57 71.6.142.125 67.43.140.125
> 07-08 02:44:58 71.6.142.125 98.159.245.221
> 07-08 02:44:59 71.6.142.125 67.43.140.218
> 07-08 02:44:59 71.6.142.125 98.159.245.143
> 07-08 02:44:59 71.6.142.125 67.43.140.191
> 07-08 02:44:59 71.6.142.125 67.43.140.245
> 07-08 02:45:00 71.6.142.125 98.159.245.175
> 07-08 02:45:00 71.6.142.125 98.159.245.219
> 07-08 02:45:00 71.6.142.125 67.43.140.69
>
>
> I dont see an obvious pattern. It doesnt seem to start on our network
> boundaries either.... Taking the first 1000 entries and sorting them,
> they are not totally sequential. It could just be they maxed their
> outbound limits, so packets are being dropped, or multiple scanners
> behind a single nat source ?
>
> Looking at the ephemeral ports, I see
>
> % ra -nr /tmp/attacker.arg -ssport - udp | sort | uniq -c
> 1 Sport
> 2 39368
> 9213 57572
>
>
> Almost all with a source port of 57572 and just two with 39368 ?!?
>
> StartTime Flgs Proto SrcAddr Sport Dir
> DstAddr Dport TotPkts TotBytes State
> 07-08 02:58* eU udp 71.6.142.125.57572 <->
> 64.7.140.62.500 2 142 CON
> 07-08 02:58* e icmp 71.6.142.125.0x0303 ->
> 64.7.140.62.0xe4e0 1 110 URP
> 07-08 03:12* e udp 71.6.142.125.39368 <->
> 64.7.140.62.500 3 710 CON
> 07-08 03:13* e udp 71.6.142.125.39368 <-
> 64.7.140.62.500 1 166 RSP
>
>
> So they hit 64.7.140.62 at 02:58, get a response, and then at 03:12, it
> seems another process based on the different source port, hits
> 64.7.140.62 again.
>
> I would guess based on that, its not spoofed.
>
> ---Mike
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4376 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20150708/30cab71f/attachment.p7s>
More information about the nsp-security
mailing list