Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Traffic increase for port UDP/8247 - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Traffic increase for port UDP/8247

We got reports of a significant traffic increase associated to port UDP/8247 starting yesterday. The peak can be seen in our Dshield graphs too. It seems to be related with CNN's streaming service broadcasting the Obama events mentioned in yesterday's ISC diary. Based on multiple reports, CCN seems to be using Octoshape's P2P plug-in with Flash.

The traffic looks like P2P based on the number of endpoints, one or both end ports are UDP/8247, and the packet size seems to be constant (streaming traffic). In the samples we got it has a UDP payload of 1043 bytes.

the purpose of this diary is to let you know this activity is going on. Having said that, please, do not simply ignore this kind of traffic because of this diary. It would be easy for an attacker to hide his actions on this port if we simply ignore it.

--
Raul Siles
www.raulsiles.com

Raul Siles

152 Posts

Sign Up for Free or Log In to start participating in the conversation!