Archive for March, 2010

An abuser and more on UDP/40810 traffic

March 19, 2010

On yesterday’s post, we mentioned an IP address that generated the most traffic. Today, the “External IP addresses – Top 50 by bandwidth use” report section indicated that the same IP was responsible for 25% of the total web traffic for March 18. For the same day, it initiated 252,128 connections. This means load both on the webserver and on the firewall. While our hardware is more than capable of handling this type of traffic, this IP address is clearly abusing our resources. Further investigation (the “Severity level 5 (Notification) details” report section) revealed through the %PIX-5-304001 type of log entries that this IP is trying to download every page from our website. We have other, proprietary mechanisms to prevent a brute force site download; however we decided to block all access for this IP address. So, on our firewall, we have added an ACL entry similar to this: 

access-list some_acl_name_here deny tcp host 208.68.224.23 any

The “Warnings and notifications” section displayed a couple of “Bad TCP hdr length…” error messages, all for the external interface. Further investigation indicated that one can expect some messages like this (due to some hosts sending an incorrect TCP header) and as long as they are infrequent, there is no need to worry.

The “Denied connections” section again listed quite a few denials for UDP/40810, and again, nothing relevant found on Google. Most of the connections seem to come from US-based IP addresses. Just to see if we can get more information, we took the host that generated the most (144) of this type of connections (68.54.133.93 or c-68-54-133-93.hsd1.nj.comcast.net) and ran an IP Forensics analysis against it. The IP Forensics report indicated that starting with 03:54:34 EST, this IP attempted to connect to one of our web servers (the same host) with both UDP/40810 and TCP/40810. The probes continued till 11:35:30 with roughly 20 connection attempts per hour. Those were the only connections to or from this IP. Just to confirm the pattern, we took the IP address with the second most connections (96.42.231.54 – no reverse DNS but belonging to Charter Communications – www.charter.com, a telecom company in US). The IP Forensics report indicated a very similar pattern. The probes, 85 of them, started at 03:53:16 EST and ended at 07:10:03. No other type of traffic was recorded. Our guess is that this is some sort of program (maybe virus) installed on some PC (the user may be totally unaware) that scans a certain range of IP addresses. If anyone else sees this kind of traffic, we would appreciate a comment to confirm it.

Sample IP Forensics report: http://www.eventid.net/firegen/ipforensics_report.asp

Advertisements

Strange denials for UDP/48010 and UDP/48014

March 18, 2010

We continue to see quite a few TCP/135 (MS RPC) probes from China-based computers. Each IP address is recorded with just one probe on that port so most probably, these are PCs infected with various viruses, no determined hackers behind them. This is to be expected, however it is good to see that there are fewer and fewer US-based probes.

The bulk of the traffic is of course, HTTP, with approx. 7 GB. The top IP address generating web traffic is 208.68.224.23. While there is no reverse host name configured for this IP, the organization is listed as Atrion Networking (http://www.atrion.net/). This IP alone, downloaded close to 600 MB of data and for a webserver with no big files to download, this is a very large amount of data. Atrion seems to be a telecom company so it is possible that this is a proxy server, actively downloading content from visited sites.

The typical Google, Yahoo, MS and Yandex.ru bots are coming next and again, this is to be expected. For a public webserver this is good – it means that your website is getting indexed in all these search engines, increasing the visitors to the site. Even if they put a certain load on the server, one should not block them!

The traffic vs. denial graph, allows a quick check on any anomalies (i.e. unusual spikes in denials may indicate a concentrated attack against the server). So, a green “mountain” with a matching low profile, denials curve is just what you want to see.

 There are quite a few denied connections for UDP/48010 and UDP/48014 (and some TCP/48014 connection attempts). Searching Google and the SANS Internet Storm Center, did not reveal any useful information which is a bit strange. Could this be something specific to our server? For example, a whois query from our application may cause a reply on UDP/48010 from the targeted IP and all the UDP traffic is rejected by our firewall (and the denials would end up recorded in the logs). We will have to replicate a query to one of those IPs and monitor the traffic going back and forth outside the firewall between our server and that IP address. One can use Ethereal (a free network protocol analyzer) to perform this task. The past reports do not contain this type of denials so it could simply be a new vulnerability that we have to keep an eye on. Fortunately, our server has all the recommended patches and hotfixes.

For a sample FireGen for Pix Log Analyzer report go to http://www.eventid.net/firegen/sample-2005-08-31-110059-ondemand.html