[nsp-sec] 9001: New UDP amplification port?
Borja Marcos
borjamar at sarenet.es
Thu Jul 1 03:23:17 EDT 2021
Hi,
I’ve been observing some odd packet love in short bursts (less than 10 Gbps).
The packets are UDP with source port 9001, destination port 12345, and they are large packets plus fragments.
Looking at the source IP addresses I see that most of them come from AS2516 and looking at the source addresses
on Alienvault they seem to be Ruckus routers. Other ASs have only a bunch of IP addresses joining the party.
-------------
12 Open Ports 21, 22, 80, 91, 123, 161, 443, 7000, 7800, 8090, 8200, 9999
Certificate Issuer
C=US, O=Ruckus Wireless Inc., CN=Certificate Authority
Certificate Subject
CN=scg.ruckuswireless.com
———————
Does it sound familiar?
Thanks!
Borja.
Sarenet, AS3262
Date first seen Duration Proto Src AS Flows(%) Packets(%) Bytes(%) pps bps bpp
2021-06-29 09:07:03.040 110728.960 any 2516 3112(59.7) 33.2 M(63.1) 49.9 G(63.2) 300 3.6 M 1500
2021-06-29 09:07:03.040 110729.472 any 131160 136( 2.6) 1.4 M( 2.7) 2.1 G( 2.7) 12 154972 1500
2021-06-29 09:07:03.040 110728.960 any 4766 85( 1.6) 901000( 1.7) 1.4 G( 1.7) 8 97643 1500
2021-06-29 09:07:03.296 110729.216 any 16276 68( 1.3) 767000( 1.5) 1.2 G( 1.5) 6 83121 1500
2021-06-29 09:07:03.296 110728.960 any 42689 54( 1.0) 557000( 1.1) 835.5 M( 1.1) 5 60363 1500
2021-06-29 09:07:03.040 110729.472 any 20473 54( 1.0) 531000( 1.0) 796.5 M( 1.0) 4 57545 1500
2021-06-29 09:07:03.552 110728.448 any 132280 64( 1.2) 521000( 1.0) 781.5 M( 1.0) 4 56462 1500
2021-06-29 09:07:03.040 110729.472 any 3549 48( 0.9) 513000( 1.0) 769.5 M( 1.0) 4 55594 1500
2021-06-29 09:07:03.808 110728.704 any 4134 51( 1.0) 499000( 0.9) 748.5 M( 0.9) 4 54078 1500
2021-06-29 09:07:03.040 40797.184 any 9381 54( 1.0) 484000( 0.9) 726.0 M( 0.9) 11 142362 1500
More information about the nsp-security
mailing list