[prev in list] [next in list] [prev in thread] [next in thread]
List: outages-discussion
Subject: Re: [Outages-discussion] What Dyn IPs to look for in netflow?
From: Joseph Jackson <jjackson () aninetworks ! net>
Date: 2016-10-25 13:48:33
Message-ID: aaad2bb8336a4815a2d9cd8247059e41 () mbx080-w4-co-1 ! exch080 ! serverpod ! net
[Download RAW message or body]
Korea has a large number of attack sources/download sites that the botnet uses.
-----Original Message-----
From: Outages-discussion [mailto:outages-discussion-bounces@outages.org] On Behalf Of \
Charles Sprickman
Sent: Tuesday, October 25, 2016 8:47 AM
To: Damian Menscher
Cc: outages-discussion@outages.org
Subject: Re: [Outages-discussion] What Dyn IPs to look for in netflow?
> On Oct 24, 2016, at 4:39 PM, Damian Menscher <damian@google.com> wrote:
>
> You can identify your infected users by looking for outbound scanning
> on port 23/tcp. (The Dyn attack was from an IoT botnet which spreads
> via telnet default passwords.)
Interesting. I don't really see any traffic of note. Here's a sample of top \
destinations over a day or so:
** nfdump -M /usr/local/var/nfsen/profiles-data/live/upstream1 -T -R \
2016/10/21/nfcapd.201610210225:2016/10/22/nfcapd.201610220500 -n 100 -s \
record/packets -A proto,srcip,srcport,dstip,dstport nfdump filter: src net \
216.220.96.0/19 and proto tcp and dst port 23 Aggregated flows 70 Top 100 flows \
ordered by packets:
Dst IP Addr Dst Pt Packets Bytes bps Bpp Flows
220.135.102.108 23 7 308 25 44 3
106.105.172.95 23 6 264 22 44 3
121.162.69.207 23 4 176 1 44 2
119.193.125.119 23 3 120 20 40 3
61.79.33.105 23 3 216 107 72 2
119.195.169.157 23 3 120 4 40 2
81.12.187.46 23 2 88 165 44 1
183.99.165.164 23 2 80 2222 40 1
81.12.187.46 23 2 88 231 44 1
14.33.30.155 23 2 88 234 44 1
183.10.214.223 23 1 44 0 44 1
It's curious why random IPs are sending a handful of packets, mostly to Korea…
Charles
>
> Damian
>
> On Sat, Oct 22, 2016 at 6:48 PM, Charles Sprickman <spork@bway.net> wrote:
> I wanted to poke through our netflow data from Friday to see if any customers were \
> involved. Do we have any idea which Dyn IPs were being hit in the east coast \
> attack?
> I've been poking around with sorting by packet count to UDP 53, but I'm not even \
> sure this was an application level or volumetric attack. Nothing is standing out \
> (yet)…
> Thanks,
>
> Charles
> --
> Charles Sprickman
> NetEng/SysAdmin
> Bway.net - New York's Best Internet www.bway.net spork@bway.net -
> 212.982.9800
>
>
>
> _______________________________________________
> Outages-discussion mailing list
> Outages-discussion@outages.org
> https://puck.nether.net/mailman/listinfo/outages-discussion
>
_______________________________________________
Outages-discussion mailing list
Outages-discussion@outages.org
https://puck.nether.net/mailman/listinfo/outages-discussion
_______________________________________________
Outages-discussion mailing list
Outages-discussion@outages.org
https://puck.nether.net/mailman/listinfo/outages-discussion
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic