Posts Tagged ‘IP Forensics’

An abuser and more on UDP/40810 traffic

March 19, 2010

On yesterday’s post, we mentioned an IP address that generated the most traffic. Today, the “External IP addresses – Top 50 by bandwidth use” report section indicated that the same IP was responsible for 25% of the total web traffic for March 18. For the same day, it initiated 252,128 connections. This means load both on the webserver and on the firewall. While our hardware is more than capable of handling this type of traffic, this IP address is clearly abusing our resources. Further investigation (the “Severity level 5 (Notification) details” report section) revealed through the %PIX-5-304001 type of log entries that this IP is trying to download every page from our website. We have other, proprietary mechanisms to prevent a brute force site download; however we decided to block all access for this IP address. So, on our firewall, we have added an ACL entry similar to this: 

access-list some_acl_name_here deny tcp host 208.68.224.23 any

The “Warnings and notifications” section displayed a couple of “Bad TCP hdr length…” error messages, all for the external interface. Further investigation indicated that one can expect some messages like this (due to some hosts sending an incorrect TCP header) and as long as they are infrequent, there is no need to worry.

The “Denied connections” section again listed quite a few denials for UDP/40810, and again, nothing relevant found on Google. Most of the connections seem to come from US-based IP addresses. Just to see if we can get more information, we took the host that generated the most (144) of this type of connections (68.54.133.93 or c-68-54-133-93.hsd1.nj.comcast.net) and ran an IP Forensics analysis against it. The IP Forensics report indicated that starting with 03:54:34 EST, this IP attempted to connect to one of our web servers (the same host) with both UDP/40810 and TCP/40810. The probes continued till 11:35:30 with roughly 20 connection attempts per hour. Those were the only connections to or from this IP. Just to confirm the pattern, we took the IP address with the second most connections (96.42.231.54 – no reverse DNS but belonging to Charter Communications – www.charter.com, a telecom company in US). The IP Forensics report indicated a very similar pattern. The probes, 85 of them, started at 03:53:16 EST and ended at 07:10:03. No other type of traffic was recorded. Our guess is that this is some sort of program (maybe virus) installed on some PC (the user may be totally unaware) that scans a certain range of IP addresses. If anyone else sees this kind of traffic, we would appreciate a comment to confirm it.

Sample IP Forensics report: http://www.eventid.net/firegen/ipforensics_report.asp

Advertisements