Rogue traffic commonly perceived as "noise" (was: Scan traffic from 121.8.0.0/16)

Fri Mar 7 19:39:34 UTC 2008

Yeah, much of it is noise.  However there is a a lot of coordination to 
much of what I'm seeing.  Many of the scans stop at hosts with 
accessible SSH daemons and pound on them for minutes to hours.  Others 
are more subtle.  I'll see one host scan our ranges and pick out the IPs 
running SSH.  Then, a short time later, those specific hosts are 
directly targeted from a different compromised host implying that there 
is communication on the back-end about IPs w/ SSH daemons.  I tested the 
theory by disabling SSH on a few of the hosts picked up in earlier mass 
scans.  The targeted attacks are still aimed at those hosts learned in 
the earlier scan even though their SSH daemons we effectively offline. 
Some scans are so slow they're barely noticeable (as was reports on the 
SANS ISC site recently).

Even though much of this is simply noise and typical life on the 
Internet, I have to wonder how much of this noise is actual 
reconnaissance against SPs and their customers.  A certain large SE 
Asian country's military is widely reported to be performing recon and 
attacks against IP resources around the globe.  How much of what people 
believe is noise is actually malicious traffic or a prelude to some 
future event?

Frankly the scans on my network have been significantly reduced by being 
a little more proactive with my monitoring.  I've found that network 
generating SSH scans are also being used for telnet, MS-SQL and SMTP 
scans.  Unfortunately the processes I'm utilizing are very labor 
intensive and I can't keep doing this forever.  I would love to find a 
tool that could help me automate some of this process and hopefully 
react faster than I can.

While typing this 69.13.181.99 just scanned one of our /19s.  The flood 
of packets was so fast I wouldn't have been able to null route it even 
if I'd been actively watching the flows.  The only way I could have 
slowed it down would have been to rate-limit SYNs.  That leads to a good 
question for NANOG at large which I'll post separately.

Justin

Martin Hannigan wrote:
 > Scans are really a dime a dozen and noise that buries good data on
 > real problems.  Be careful!
 >
 >
 >
 > On 3/6/08, Justin Shore <justin at justinshore.com> wrote:
 >> Rich Sena wrote:
 >>> Anyone seeing anything similar - trying to determine if this is spoofed
 >>> etc...
 >> I haven't picked up any SSH or telnet scans from that network.  That's
 >> what I'm looking for at the moment.  The amount of scans we're getting
 >> are quite impressive at times.  I wish there was an easy way to automate
 >> the care and feeding of my RTBH with this data (and some sanity checks).
 >>
 >> Justin