[nsp-sec] 9001: New UDP amplification port?

Chris Morrow morrowc at ops-netman.net
Fri Jul 2 00:19:16 EDT 2021 

On Thu, 01 Jul 2021 09:45:22 +0000,
Borja Marcos <borjamar at sarenet.es> wrote:
> 
> ----------- nsp-security Confidential --------
> 
> 
> 
> > On 1 Jul 2021, at 11:35, Dobbins, Roland <Roland.Dobbins at netscout.com> wrote:
> > 
> > 
> > 
> >> On Jul 1, 2021, at 4:17 PM, Borja Marcos <borjamar at sarenet.es> wrote:
> >> 
> >> Something seems to be going on with port 9001. There is a sudden interest on it, I have two /23 darknets and I see
> >> an odd scan with udp/9100 as destination.
> > 
> > I’ll ask my collegues to look into our UDP honeypot, as well, and will grovel through our DDoS attack data to see if we caught any of it.
> 
> I am checking my darknets.  
> 
> In 2021, Except for two scans sending either 1-byte packets with just a “0x00" or some 4-byte packets with “00010203” all I see are SIP
> packets.
> 
> 2021-03-05: 205.185.114.55 sent 4 byte packets (“0x00010203”) and then it switched to the 1-byte “0x00” ones.
> 

I hate to be 'that guy', but..:
  205.185.114.55 - frantech - AS53667

primary transit is a russokranian joint (network management inc -
AS205090) all of the netblocks announed by 53667 appear to be suspect
(to me), all contact into points at 'frantech' with various 'not
cheyene wyoming' like addressing/etc...

Their AS174 link appears to be via FDC servers in Lax Vegas? (that /32 routes to 174/fdc for me)

dollars to donuts these are russian/ukranian scammers :(


> 2021-06-14: 80.82.76.6 sent 1 byte packets (“0x00”).
> 
> 
> Might be a coincidence though?
> 
> I’ll try to see how can I capture some “attack” packets in case they come back. 
> 
> 
> 
> 
> Borja.
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list