North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Rogue traffic commonly perceived as "noise" (was: Scan traffic from 121.8.0.0/16)

  • From: Justin Shore
  • Date: Fri Mar 07 14:44:03 2008

Yeah, much of it is noise. However there is a a lot of coordination to much of what I'm seeing. Many of the scans stop at hosts with accessible SSH daemons and pound on them for minutes to hours. Others are more subtle. I'll see one host scan our ranges and pick out the IPs running SSH. Then, a short time later, those specific hosts are directly targeted from a different compromised host implying that there is communication on the back-end about IPs w/ SSH daemons. I tested the theory by disabling SSH on a few of the hosts picked up in earlier mass scans. The targeted attacks are still aimed at those hosts learned in the earlier scan even though their SSH daemons we effectively offline. Some scans are so slow they're barely noticeable (as was reports on the SANS ISC site recently).

Even though much of this is simply noise and typical life on the Internet, I have to wonder how much of this noise is actual reconnaissance against SPs and their customers. A certain large SE Asian country's military is widely reported to be performing recon and attacks against IP resources around the globe. How much of what people believe is noise is actually malicious traffic or a prelude to some future event?

Frankly the scans on my network have been significantly reduced by being a little more proactive with my monitoring. I've found that network generating SSH scans are also being used for telnet, MS-SQL and SMTP scans. Unfortunately the processes I'm utilizing are very labor intensive and I can't keep doing this forever. I would love to find a tool that could help me automate some of this process and hopefully react faster than I can.

While typing this 69.13.181.99 just scanned one of our /19s. The flood of packets was so fast I wouldn't have been able to null route it even if I'd been actively watching the flows. The only way I could have slowed it down would have been to rate-limit SYNs. That leads to a good question for NANOG at large which I'll post separately.

Justin


Martin Hannigan wrote:
> Scans are really a dime a dozen and noise that buries good data on
> real problems.  Be careful!
>
>
>
> On 3/6/08, Justin Shore <[email protected]> wrote:
>> Rich Sena wrote:
>>> Anyone seeing anything similar - trying to determine if this is spoofed
>>> etc...
>> I haven't picked up any SSH or telnet scans from that network.  That's
>> what I'm looking for at the moment.  The amount of scans we're getting
>> are quite impressive at times.  I wish there was an easy way to automate
>> the care and feeding of my RTBH with this data (and some sanity checks).
>>
>> Justin