Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Looking for packets from three particular subnets SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Looking for packets from three particular subnets
A reader wrote in reporting seeing a large amount odd activity from three subnets across a large number of disparate networks he managed. Addresses from these subnets have been generating between 100,000 - 500,000 inbound connections a day apiece, primarily targeting port 80 however, he had also seen a very small amount of inbound port 25 and port 443 as well. Sadly he wasn't able to capture any packets.
 
The Subnets in question are:
 
5.254.116.32-5.254.116.63 ("AppLayer_Anti-DDoS_Hosting" located in Russia)
94.23.97.196-94.23.97.199 ("GAMESPROTECT AntiDDoS Network" located in Germany)
5.254.105.16-5.254.105.31 ("WooServers" located in Germany)
 
If you have any packet captures of this traffic or know why theses subnets are making apparently unsolicited, random connections, please write in and let us know!
 

Chris Mohan --- Internet Storm Center Handler on Duty

Chris

105 Posts
ISC Handler
Chris, this may seem off topic at first, but what happens when you reverse these IPs? I am thinking this may be a case of dynamically-assigned reverse DNS entries being used by botnets. Here's an example of results from robtex's blacklist from one of the IPs you've listed when reversed. Just a thought.
https://www.robtex.com/ip/63.116.254.5.html#blacklists
Anonymous
I've seen traffic to my /16 from a total of 4 hosts spread across all three of the listed subnets over the past few weeks. The initial packets are sourced from tcp/25 with destinations of tcp/80. Within a few hours, we see very large numbers of SYN packets from the source IP address. I don't have any real ideas about the purpose, but sourcing the original packets from tcp/25 seems pretty odd.
Ken

40 Posts
This could be a backdoor from any number of trojans, including Zeus. This might be helpful: http://www.adminsub.net/tcp-udp-port-finder/control
Ken
2 Posts
Reminds me of packets seen from 190.115.23.35 (BZ/Belize/ddos-guard.net) for several hours:
Jan 24 09:39:57 SRC=190.115.23.35 DST=5.9.x.y LEN=61 TOS=0x00 PREC=0x00 TTL=121 ID=27 DF PROTO=UDP SPT=53 DPT=37313 LEN=41
Jan 24 09:39:57 SRC=190.115.23.35 DST=5.9.x.y LEN=61 TOS=0x00 PREC=0x00 TTL=121 ID=0 DF PROTO=UDP SPT=53 DPT=37313 LEN=41
Jan 24 09:39:57 SRC=190.115.23.35 DST=5.9.x.y LEN=61 TOS=0x00 PREC=0x00 TTL=121 ID=27 DF PROTO=UDP SPT=53 DPT=37313 LEN=41
Jan 24 09:39:57 SRC=190.115.23.35 DST=5.9.x.y LEN=61 TOS=0x00 PREC=0x00 TTL=121 ID=0 DF PROTO=UDP SPT=53 DPT=37313 LEN=41
Jan 24 09:39:57 SRC=190.115.23.35 DST=5.9.x.y LEN=61 TOS=0x00 PREC=0x00 TTL=121 ID=27 DF PROTO=UDP SPT=53 DPT=37313 LEN=41

Possibly it is backscatter from an attack against that IP, spoofing my server's IP as the source. Possibly something more nefarious though, unfortunately I only have the packet headers.
Steven C.

171 Posts
Observing the same behavior from 178.32.13.108 in the last hour.
Ken

40 Posts
Same here, getting it from178.32.13.108 . It started about 3.5 hours ago.

I sent a email to the abuse@ovh.net, not response yet.

At the moment, our firewall is holding it back the brunt of it and we have the pipe to spare fortunately.
I'm on Cogent's backbone and will be reporting it to them if I don't hear anything back soon.

From my sonicwall logs:

Feb 1 17:59:58 1102grand id=firewall sn=0017C565342E time="2014-02-01 17:59:36" fw=38.104.86.118 pri=5 c=0 m=760 msg="TCP handshake violation detected; TCP connection dropped" n=5579626 src=178.32.13.108:12550:X1: dst=x.x.x.199:80:X3:shared-hosting-2.xyz.net note="Handshake Timeout"
Feb 1 18:00:09 1102grand id=firewall sn=0017C565342E time="2014-02-01 18:00:11" fw=38.104.86.118 pri=5 c=0 m=760 msg="TCP handshake violation detected; TCP connection dropped" n=5580170 src=178.32.13.108:42974:X1: dst=x.x.x.207:80:X3: note="Handshake Timeout"
Feb 1 18:00:46 1102grand id=firewall sn=0017C565342E time="2014-02-01 18:00:48" fw=38.104.86.118 pri=5 c=0 m=760 msg="TCP handshake violation detected; TCP connection dropped" n=5582062 src=178.32.13.108:43313:X1: dst=x.x.x.199:80:X3:shared-hosting-2.xyz.net note="Handshake Timeout"
Feb 1 18:01:24 1102grand id=firewall sn=0017C565342E time="2014-02-01 18:01:26" fw=38.104.86.118 pri=5 c=0 m=760 msg="TCP handshake violation detected; TCP connection dropped" n=5584036 src=178.32.13.108:2562:X1: dst=x.x.x.199:80:X3:shared-hosting-2.xyz.net note="Handshake Timeout"
Feb 1 18:02:04 1102grand id=firewall sn=0017C565342E time="2014-02-01 18:02:00" fw=38.104.86.118 pri=5 c=0 m=760 msg="TCP handshake violation detected; TCP connection dropped" n=5586152 src=178.32.13.108:20143:X1: dst=x.x.x.207:80:X3: note="Handshake Timeout"
Feb 1 18:02:34 1102grand id=firewall sn=0017C565342E time="2014-02-01 18:02:35" fw=38.104.86.118 pri=5 c=0 m=760 msg="TCP handshake violation detected; TCP connection dropped" n=5587659 src=178.32.13.108:57797:X1: dst=x.x.x.207:80:X3: note="Handshake Timeout"
Feb 1 18:03:10 1102grand id=firewall sn=0017C565342E time="2014-02-01 18:03:11" fw=38.104.86.118 pri=5 c=0 m=760 msg="TCP handshake violation detected; TCP connection dropped" n=5589364 src=178.32.13.108:58326:X1: dst=x.x.x.200:80:X3:shared-hosting-1.xyz.net note="Handshake Timeout"
JMG

1 Posts
Seeing loads of port 80 traffic from 178.32.13.108 (FR) to port 80.
SasK

12 Posts
We've been enormous amounts of backscatter from several
European ISPs for the last two weeks.

IPs we've seen from OVH are:
94.23.97.196
37.187.195.49
5.254.116.46
5.254.105.21

178.32.13.108

This last has generated 80+M on port 80
in 5 hours since midnight UTC Feb 2
JAG

2 Posts
I don't have packet captures from 178.32.13.108 (GAMESPROTECT Inc AntiDDos Network), but I do have netstat records. All I see is half-open SYN_RECV, so I assume there's not much info in those packets and the IP address is spoofed (it wouldn't be a good advert for an anti-DDos network). Don't normally need SYN cookies, but will leave on if the eedjits continue to misbehave.
JAG
3 Posts
Oh, in case my above reply wasn't clear, so far as I can see the subnets mentioned above are the /targets/ and this is a massive DDoS attack, presumably launched from a botnet, and using large numbers of web servers for a SYN reflection attack.

To avoid suffering collateral damage, if you're using netfilter, SYN cookies should help, and reducing the value of net.netfilter.nf_conntrack_tcp_timeout_syn_recv . To actually avoid participating in the attack, probably lowering net.ipv4.tcp_synack_retries to 2 would reduce the "amplification factor". I haven't tested it, but possibly using iptables -m connlimit --connlimit-upto 50 would effectively mean your server is no longer useful to the attackers.
JAG
3 Posts
We became aware of that in the 2nd week of this year.

For us it's pretty easy to detect in our netflows.

The guess here is as already stated above that these are attacks against webservers where the attackers sent of out SYN packets with the spoofed IP of the victim.

Sigh: Ingress filtering at the edge is implemented no more. Would be nice if one could nail ISPs doing so.
Jens

42 Posts
@JMG: I think you will never get a response from abuse@ovh.net. I recently sent them dozens of abuse reports and never got a response neither did they take action in any way.

Ovh (as Voxility, the owner of the other address ranges) work not only together with criminals. Ovh is one of the biggest hosters for spammers and other criminals in Europe, and they not only take their money, but actively support them.

E. g. Ovh provides spammers with changing IP addresses, so that they can send you hundreds of spams, all the same content, but each from an different IP address, each with a different domain name as sender. So the spammer easily can avoid blackholes and likely...

This is illegal (felony, not just civil law) in german law, and so I asked my employer to take legal action against Ovh. But we are a producing company, not a lawsuiting one, and since I could assure my employer to be able to block ovh spam efficiently, he decided not to take further action. What a pity!
Jens
7 Posts
I do have some captures if they are still needed.
Anonymous
Jens on forgeries: "Sigh: Ingress filtering at the edge is implemented no more. Would be nice if one could nail ISPs doing so."

I wonder: could one identify "unhygenic" networks, generating a lot of spoofed SYNs/UDP, on an internet exchange LAN with a little not-so-deep packet inspection? You can see which AS is involved from the MAC, and see if the IP prefix is in the global routing tables.

I'd appreciate any explanation from someone who knows more of the history. BCP 38 & 46 are dated 2000, and seemed to keep forgeries to a manageable level for years, but now the problem re-emerges with fast DSL from Windows XP machines in the far East.

I've also submitted some packets with forged source 94.23.97.197. Simple SYNs as far as I could see.
Anonymous
I sent an abuse report to wooservers regarding 5.254.105.21. They responded: that particular server was under high DDOS attack at the time I sent the note.

I agree that we're the intermediaries for DrDoS. A couple of the source IPs were ddos-guard networks.
Anonymous
Yeah, we been seeing TCP SYN flood from these IP addresses as well. Nothing large in vloume.
The NH-ISAC aslso reported the following;

DDoS!Activity!from!IP!37.187.195.49!and!5.254.105.21!
On!21!January,!an!institution!received!alerts!that!they!were!experiencing!a!DDoS!attack.!The!alerts!
indicated!there!were!SYN!Floods!from!IP!37.187.195.49!and!5.254.105.21.!And!volume!was!reportedly!at!
six!(6)!million!bps!(bits!per!second).!
!!
Further!review!of!system!logs!indicated!that!the!attack!appears!to!have!been!slow!and!persistent!for!
approximately!fifty7six!(56)!days!until!peaking!to!fifteen!(15)!million!bps!at!approximately!15:30!on!21!
January!2014.!!
Suspicious!scanning!activity!
An!institution!reported!seeing!TCP!scanning!activity!from!the!following!IP!range!between!20723!Jan!2014!
(based!on!a!307day!search):!
!!
178.248.23.58!
178.248.23.65!
178.248.23.174!
178.248.23.115!
178.248.23.74!
178.248.23.7!
!!
According!to!the!below!blog,!there!were!a!couple!of!IP!addresses!in!this!range!which!were!used!to!
compromise!other!servers.!In!addition,!there!were!no!indications!of!these!servers!being!used!in!DDoS!
attacks!until!last!night.!
!
hxxp://www.webhostingtalk.com/showthread.php?p=8997049!
Anonymous
I had a period of really broken connectivity earlier this week, and after finally getting it more or less fixed up yesterday (fingers crossed) I started seeing an average of 6/second port 80 connections, supposedly from the two IP addresses 176.122.240.253 and 176.122.240.254. About 3/4 of the connections come from .253 and the rest from .254. My Apache logs are showing NOTHING, so I don't have any idea what the connections might be about. I suspect SYN flood or backscatter attack, but can't say for sure. This looks similar to what has been reported above.

The whois info on those addresses is pretty useless. ISC's info is slightly better, they at least attribute the rodina.tv domain to the two IPs, and show them currently hammering other systems on port 80, so I don't feel so unique. Anybody know anything about this mysterious INTEC TRADE INC. that is supposedly responsible? I've currently got their whole subnet (176.122.240.0/22, per ISC's info) blackholed in my firewall rules; but the port-80 spamming continues, eating into my pathetically small Internet bandwidth...
whurlitzer

13 Posts
I was able to capture some packets from 5.254.105.19 and 94.23.97.50. I also have some log messages from previous dates. I noticed activity from these networks starting around 1/14/2014. Please let me know how you want the packet capture uploaded providing you are still looking for this informaton.
whurlitzer
1 Posts

Sign Up for Free or Log In to start participating in the conversation!