[Outages-discussion] What Dyn IPs to look for in netflow?

Joseph Jackson jjackson at aninetworks.net
Tue Oct 25 09:48:33 EDT 2016 

Korea has a large number of attack sources/download sites that the botnet uses. 



-----Original Message-----
From: Outages-discussion [mailto:outages-discussion-bounces at outages.org] On Behalf Of Charles Sprickman
Sent: Tuesday, October 25, 2016 8:47 AM
To: Damian Menscher
Cc: outages-discussion at outages.org
Subject: Re: [Outages-discussion] What Dyn IPs to look for in netflow?


> On Oct 24, 2016, at 4:39 PM, Damian Menscher <damian at google.com> wrote:
> 
> You can identify your infected users by looking for outbound scanning 
> on port 23/tcp.  (The Dyn attack was from an IoT botnet which spreads 
> via telnet default passwords.)

Interesting.  I don’t really see any traffic of note.  Here’s a sample of top destinations over a day or so:

** nfdump -M /usr/local/var/nfsen/profiles-data/live/upstream1  -T  -R 2016/10/21/nfcapd.201610210225:2016/10/22/nfcapd.201610220500 -n 100 -s record/packets -A proto,srcip,srcport,dstip,dstport nfdump filter:
src net 216.220.96.0/19 and proto tcp and dst port 23 Aggregated flows 70 Top 100 flows ordered by packets:

     Dst IP Addr Dst Pt   Packets    Bytes      bps    Bpp Flows
 220.135.102.108     23         7      308       25     44     3
  106.105.172.95     23         6      264       22     44     3
  121.162.69.207     23         4      176        1     44     2
 119.193.125.119     23         3      120       20     40     3
    61.79.33.105     23         3      216      107     72     2
 119.195.169.157     23         3      120        4     40     2
    81.12.187.46     23         2       88      165     44     1
  183.99.165.164     23         2       80     2222     40     1
    81.12.187.46     23         2       88      231     44     1
    14.33.30.155     23         2       88      234     44     1
  183.10.214.223     23         1       44        0     44     1

It’s curious why random IPs are sending a handful of packets, mostly to Korea…

Charles

> 
> Damian
> 
> On Sat, Oct 22, 2016 at 6:48 PM, Charles Sprickman <spork at bway.net> wrote:
> I wanted to poke through our netflow data from Friday to see if any customers were involved.  Do we have any idea which Dyn IPs were being hit in the east coast attack?
> 
> I’ve been poking around with sorting by packet count to UDP 53, but I’m not even sure this was an application level or volumetric attack.   Nothing is standing out (yet)…
> 
> Thanks,
> 
> Charles
> --
> Charles Sprickman
> NetEng/SysAdmin
> Bway.net - New York's Best Internet www.bway.net spork at bway.net - 
> 212.982.9800
> 
> 
> 
> _______________________________________________
> Outages-discussion mailing list
> Outages-discussion at outages.org
> https://puck.nether.net/mailman/listinfo/outages-discussion
> 

_______________________________________________
Outages-discussion mailing list
Outages-discussion at outages.org
https://puck.nether.net/mailman/listinfo/outages-discussion

More information about the Outages-discussion mailing list