Anyone seeing anything similar - trying to determine if this is spoofed etc...
Probably not spoofed, I see a lot of scanning from China.
route: 121.8.0.0/13
descr: From Guangdong Network of ChinaTelecom
origin: AS4134
mnt-by: MAINT-CHINANET
changed: dingsy@cndata.com 20060707
source: APNIC
person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: dingsy@cndata.com 20070416
mnt-by: MAINT-CHINANET
source: APNIC
-Patrick
Rich Sena wrote:
Anyone seeing anything similar - trying to determine if this is spoofed etc...
Why would you think it is a problem? It's China Telecom. What else would you expect?
Off the sarcastic and onto the serious, I am seeing hits on 53/UDP and 25/TCP from a couple of hosts in that netblock.
Jon K.
Rich Sena wrote:
Anyone seeing anything similar - trying to determine if this is spoofed etc...
I haven't picked up any SSH or telnet scans from that network. That's what I'm looking for at the moment. The amount of scans we're getting are quite impressive at times. I wish there was an easy way to automate the care and feeding of my RTBH with this data (and some sanity checks).
Justin
Have you queried the DShield database for the hosts you are seeing?
http://www.dshield.org/ipinfo.html?ip= add the IP after the =
Yeah, much of it is noise. However there is a a lot of coordination to much of what I'm seeing. Many of the scans stop at hosts with accessible SSH daemons and pound on them for minutes to hours. Others are more subtle. I'll see one host scan our ranges and pick out the IPs running SSH. Then, a short time later, those specific hosts are directly targeted from a different compromised host implying that there is communication on the back-end about IPs w/ SSH daemons. I tested the theory by disabling SSH on a few of the hosts picked up in earlier mass scans. The targeted attacks are still aimed at those hosts learned in the earlier scan even though their SSH daemons we effectively offline. Some scans are so slow they're barely noticeable (as was reports on the SANS ISC site recently).
Even though much of this is simply noise and typical life on the Internet, I have to wonder how much of this noise is actual reconnaissance against SPs and their customers. A certain large SE Asian country's military is widely reported to be performing recon and attacks against IP resources around the globe. How much of what people believe is noise is actually malicious traffic or a prelude to some future event?
Frankly the scans on my network have been significantly reduced by being a little more proactive with my monitoring. I've found that network generating SSH scans are also being used for telnet, MS-SQL and SMTP scans. Unfortunately the processes I'm utilizing are very labor intensive and I can't keep doing this forever. I would love to find a tool that could help me automate some of this process and hopefully react faster than I can.
While typing this 69.13.181.99 just scanned one of our /19s. The flood of packets was so fast I wouldn't have been able to null route it even if I'd been actively watching the flows. The only way I could have slowed it down would have been to rate-limit SYNs. That leads to a good question for NANOG at large which I'll post separately.
Justin
Martin Hannigan wrote: