Security Basics mailing list archives
RE: Traffic To dark address space
From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Thu, 24 May 2007 09:39:43 +1000
Yeah to me the fact that it tries the same port over and over but from a 'different' IP is what made me pick it in the first place. Looking at my notes just now it seems like the beginning of May for me here as a start point. I wonder if the ISC has any mention of this. Your theory has a good basis David. Yesterday dropped off dramatically. I'll keep an eye on it. I wonder if the slow spread might be useful to it in an accidental way. Ie it doesn't get so much attention in the way that other things do. I don't like making the biological analogies usually for malware but ebola outbreaks for instance die out because the virus is too intense and it doesn't get time to spread. This maybe the converse, malware-wise. -----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Thursday, May 24, 2007 9:05 AM To: 'Murda Mcloud'; 'Ken Swain'; security-basics () securityfocus com Subject: RE: Traffic To dark address space I've been observing something since at least January that might relate to this, and I've got some speculation about the junk malware that's probably behind it. Traffic consists of groups of (usually) three SYN packets to an address, frequently noticed because it's unpopulated, and bizarre destination port number. What I notice is that I often see such inbounds from 1-3 additional sources within 24 hours for the same destination address *and port number*. My theory, then, is that there's some bit of "junk malware" out there that is randomly generating targets for itself. ONE of the issues the author hasn't grasped is how PNG (Pseudo-random Number Generator) algorithms work, so every time it generates destination address X, the code consistently generates destination port number Y, so every instance of infection that attempts to infect X does so via port Y. Of course the odds that Y will be a listening vulnerable port should be very very small, so this thing is spreading only VERY slowly. David Gillett
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Murda Mcloud Sent: Tuesday, May 22, 2007 10:20 PM To: 'Ken Swain'; security-basics () securityfocus com Subject: RE: Traffic To dark address space I have seen an increase in drops on our perimeter too-at least 50% up from last month. The number of blocked addresses is higher than I have ever seen it. Ports are weird but whatever is doing it keeps knocking at the same door over and over again: Different ports though: 45458 45459 45074 22081 2814 etc I don't know if it is related or not. How do you define dark space? The way I've pictured it is IP ranges/addresses that either come and go at very short notice and/or when they have not been legitimately assigned. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ken Swain Sent: Wednesday, May 23, 2007 6:49 AM To: security-basics () securityfocus com Subject: Traffic To dark address space Group, I am seeing tons of drops on my firewall and IPS correlated threw my SIM to and from Dark Address space. Not all machines on my network are doing this, but enough are that it is becoming a massive amount do deal with. I have done a Virus scan and patch check on the boxes and they all came up clean. All this traffic started with in the past month and has steadily increased. The ports are 137, 9100, 113, 67,27604 and 27605. It appears to hit a block of dark address space and then move on to anouther only to come back later. Any ideas? --Ken
Current thread:
- Traffic To dark address space Ken Swain (May 22)
- RE: Traffic To dark address space Murda Mcloud (May 23)
- Re: Traffic To dark address space Ken Swain (May 23)
- Re: Traffic To dark address space Ken Swain (May 23)
- RE: Traffic To dark address space David Gillett (May 24)
- RE: Traffic To dark address space Murda Mcloud (May 24)
- RE: Traffic To dark address space Murda Mcloud (May 23)