Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: What has Iran been up to lately? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What has Iran been up to lately?

Going over some data earlier today, I noted that a few days ago, we had a notable spike of port scans from Iran in our DShield database. Iran is "spiking" at times, in part because we figure only a relative number of actors are scanning from Iran. So lets see what was going on. First, a plot of the activity from Iran for February:

port scans from Iran over February 2013

Click on the image for the full size. This data is fairly "rough" as it is just counting number of dropped packets. This could be one host sending the same packet over and over to the same target. (ok... about 2-3 Million times on the peak days)

Lets look at the ports affected next. Below you will see the data for February 16th:

 

+------+--------+
| port | count  |
+------+--------+
|   21 | 466735 | 
|   53 | 465751 | 
|   23 | 458511 | 
|   22 | 457712 | 
|   80 | 455077 | 
|  179 | 453416 | 
| 3389 |   5750 | 
|  445 |   4926 | 
| 4614 |   4721 | 
| 5900 |    356 | 

This is getting a bit more interesting. the top 6 ports have almost the same number of "hits", and they are well known server ports. 179 (BGP) is in particular interesting as it is not scanned a lot and more of an "infrastructure" port. But one could expect routers to respond on 23, 22 and 80 as well. 21 and 53? Not exactly router ports.

One host that sticks out for port 179 scans that day (port 179 is easier to investigatate as there are less scans for this port then the others), is 213.217.37.102 .

Scans originating from this particular host confirm the original picture:

 

+------------+---------+---------+
| targetport | reports | targets |
+------------+---------+---------+
|         21 |  386903 |     368 | 
|         22 |  379809 |     363 | 
|         23 |  380493 |     365 | 
|         53 |  387051 |     365 | 
|         80 |  374014 |     360 | 
|        179 |  378105 |     366 | 
+------------+---------+---------+
Interesting that the number of reported targets is rather small. Each target IP receives about 1,000 packets. But not all submitters report distinct target IPs and rather include a "dummy target IP" instead.
 
Sadly, we don't have any reports about the nature of the activity. Our ssh honeypot database is empty for this IP (and the /16 that goes with it). So if you have an ssh honeypot... check it ;-) and let us know what you find.
 
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3537 Posts
ISC Handler
Interesting that port 179 (BGP) is on the list (though at #6), but perhaps the Iranians want to disrupt and/or corrupt BGP tables in routers or other devices, creating a mess on the internet?

Hmmmm
dogbert2

21 Posts
That reminds me of HFT methods. Does anybody correlate port attacks with HFT 'attacks'? http://www.nanex.net/aqck/aqckIndex.html
Anonymous
Attack Traffic Overiew
- http://www.akamai.com/html/technology/dataviz1.html
Feb 24, 2013 - 07:43AM est
89.38% above normal...
.
Jack

160 Posts
Makes me wonder if someone is trying to cause problems for Juniper routers....

http://junosgeek.blogspot.com/2013/02/junos-out-of-cycle-security-bulletin.html
Kyle

2 Posts

Sign Up for Free or Log In to start participating in the conversation!