Rogue traffic commonly perceived as "noise" (was: Scan traffic from 121.8.0.0/16)
Justin Shore
justin at justinshore.com
Fri Mar 7 19:39:34 UTC 2008
Yeah, much of it is noise. However there is a a lot of coordination to
much of what I'm seeing. Many of the scans stop at hosts with
accessible SSH daemons and pound on them for minutes to hours. Others
are more subtle. I'll see one host scan our ranges and pick out the IPs
running SSH. Then, a short time later, those specific hosts are
directly targeted from a different compromised host implying that there
is communication on the back-end about IPs w/ SSH daemons. I tested the
theory by disabling SSH on a few of the hosts picked up in earlier mass
scans. The targeted attacks are still aimed at those hosts learned in
the earlier scan even though their SSH daemons we effectively offline.
Some scans are so slow they're barely noticeable (as was reports on the
SANS ISC site recently).
Even though much of this is simply noise and typical life on the
Internet, I have to wonder how much of this noise is actual
reconnaissance against SPs and their customers. A certain large SE
Asian country's military is widely reported to be performing recon and
attacks against IP resources around the globe. How much of what people
believe is noise is actually malicious traffic or a prelude to some
future event?
Frankly the scans on my network have been significantly reduced by being
a little more proactive with my monitoring. I've found that network
generating SSH scans are also being used for telnet, MS-SQL and SMTP
scans. Unfortunately the processes I'm utilizing are very labor
intensive and I can't keep doing this forever. I would love to find a
tool that could help me automate some of this process and hopefully
react faster than I can.
While typing this 69.13.181.99 just scanned one of our /19s. The flood
of packets was so fast I wouldn't have been able to null route it even
if I'd been actively watching the flows. The only way I could have
slowed it down would have been to rate-limit SYNs. That leads to a good
question for NANOG at large which I'll post separately.
Justin
Martin Hannigan wrote:
> Scans are really a dime a dozen and noise that buries good data on
> real problems. Be careful!
>
>
>
> On 3/6/08, Justin Shore <justin at justinshore.com> wrote:
>> Rich Sena wrote:
>>> Anyone seeing anything similar - trying to determine if this is spoofed
>>> etc...
>> I haven't picked up any SSH or telnet scans from that network. That's
>> what I'm looking for at the moment. The amount of scans we're getting
>> are quite impressive at times. I wish there was an easy way to automate
>> the care and feeding of my RTBH with this data (and some sanity checks).
>>
>> Justin
More information about the NANOG
mailing list