[Outages-discussion] What Dyn IPs to look for in netflow?

Charles Sprickman spork at bway.net
Tue Oct 25 09:47:00 EDT 2016 

> On Oct 24, 2016, at 4:39 PM, Damian Menscher <damian at google.com> wrote:
> 
> You can identify your infected users by looking for outbound scanning on port 23/tcp.  (The Dyn attack was from an IoT botnet which spreads via telnet default passwords.)

Interesting.  I don’t really see any traffic of note.  Here’s a sample of top destinations over a day or so:

** nfdump -M /usr/local/var/nfsen/profiles-data/live/upstream1  -T  -R 2016/10/21/nfcapd.201610210225:2016/10/22/nfcapd.201610220500 -n 100 -s record/packets -A proto,srcip,srcport,dstip,dstport
nfdump filter:
src net 216.220.96.0/19 and proto tcp and dst port 23
Aggregated flows 70
Top 100 flows ordered by packets:

     Dst IP Addr Dst Pt   Packets    Bytes      bps    Bpp Flows
 220.135.102.108     23         7      308       25     44     3
  106.105.172.95     23         6      264       22     44     3
  121.162.69.207     23         4      176        1     44     2
 119.193.125.119     23         3      120       20     40     3
    61.79.33.105     23         3      216      107     72     2
 119.195.169.157     23         3      120        4     40     2
    81.12.187.46     23         2       88      165     44     1
  183.99.165.164     23         2       80     2222     40     1
    81.12.187.46     23         2       88      231     44     1
    14.33.30.155     23         2       88      234     44     1
  183.10.214.223     23         1       44        0     44     1

It’s curious why random IPs are sending a handful of packets, mostly to Korea…

Charles

> 
> Damian
> 
> On Sat, Oct 22, 2016 at 6:48 PM, Charles Sprickman <spork at bway.net> wrote:
> I wanted to poke through our netflow data from Friday to see if any customers were involved.  Do we have any idea which Dyn IPs were being hit in the east coast attack?
> 
> I’ve been poking around with sorting by packet count to UDP 53, but I’m not even sure this was an application level or volumetric attack.   Nothing is standing out (yet)…
> 
> Thanks,
> 
> Charles
> --
> Charles Sprickman
> NetEng/SysAdmin
> Bway.net - New York's Best Internet www.bway.net
> spork at bway.net - 212.982.9800
> 
> 
> 
> _______________________________________________
> Outages-discussion mailing list
> Outages-discussion at outages.org
> https://puck.nether.net/mailman/listinfo/outages-discussion
>

More information about the Outages-discussion mailing list