[prev in list] [next in list] [prev in thread] [next in thread] 

List:       outages-discussion
Subject:    Re: [Outages-discussion] What Dyn IPs to look for in netflow?
From:       Joseph Jackson <jjackson () aninetworks ! net>
Date:       2016-10-25 13:48:33
Message-ID: aaad2bb8336a4815a2d9cd8247059e41 () mbx080-w4-co-1 ! exch080 ! serverpod ! net
[Download RAW message or body]

Korea has a large number of attack sources/download sites that the botnet uses. 



-----Original Message-----
From: Outages-discussion [mailto:outages-discussion-bounces@outages.org] On Behalf Of \
                Charles Sprickman
Sent: Tuesday, October 25, 2016 8:47 AM
To: Damian Menscher
Cc: outages-discussion@outages.org
Subject: Re: [Outages-discussion] What Dyn IPs to look for in netflow?


> On Oct 24, 2016, at 4:39 PM, Damian Menscher <damian@google.com> wrote:
> 
> You can identify your infected users by looking for outbound scanning 
> on port 23/tcp.  (The Dyn attack was from an IoT botnet which spreads 
> via telnet default passwords.)

Interesting.  I don't really see any traffic of note.  Here's a sample of top \
destinations over a day or so:

** nfdump -M /usr/local/var/nfsen/profiles-data/live/upstream1  -T  -R \
2016/10/21/nfcapd.201610210225:2016/10/22/nfcapd.201610220500 -n 100 -s \
record/packets -A proto,srcip,srcport,dstip,dstport nfdump filter: src net \
216.220.96.0/19 and proto tcp and dst port 23 Aggregated flows 70 Top 100 flows \
ordered by packets:

     Dst IP Addr Dst Pt   Packets    Bytes      bps    Bpp Flows
 220.135.102.108     23         7      308       25     44     3
  106.105.172.95     23         6      264       22     44     3
  121.162.69.207     23         4      176        1     44     2
 119.193.125.119     23         3      120       20     40     3
    61.79.33.105     23         3      216      107     72     2
 119.195.169.157     23         3      120        4     40     2
    81.12.187.46     23         2       88      165     44     1
  183.99.165.164     23         2       80     2222     40     1
    81.12.187.46     23         2       88      231     44     1
    14.33.30.155     23         2       88      234     44     1
  183.10.214.223     23         1       44        0     44     1

It's curious why random IPs are sending a handful of packets, mostly to Korea…

Charles

> 
> Damian
> 
> On Sat, Oct 22, 2016 at 6:48 PM, Charles Sprickman <spork@bway.net> wrote:
> I wanted to poke through our netflow data from Friday to see if any customers were \
> involved.  Do we have any idea which Dyn IPs were being hit in the east coast \
> attack? 
> I've been poking around with sorting by packet count to UDP 53, but I'm not even \
> sure this was an application level or volumetric attack.   Nothing is standing out \
> (yet)… 
> Thanks,
> 
> Charles
> --
> Charles Sprickman
> NetEng/SysAdmin
> Bway.net - New York's Best Internet www.bway.net spork@bway.net - 
> 212.982.9800
> 
> 
> 
> _______________________________________________
> Outages-discussion mailing list
> Outages-discussion@outages.org
> https://puck.nether.net/mailman/listinfo/outages-discussion
> 

_______________________________________________
Outages-discussion mailing list
Outages-discussion@outages.org
https://puck.nether.net/mailman/listinfo/outages-discussion
_______________________________________________
Outages-discussion mailing list
Outages-discussion@outages.org
https://puck.nether.net/mailman/listinfo/outages-discussion


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic