Jump to content


Port scan "spikes" and other activity...

  • Please log in to reply
No replies to this topic

#1 AplusWebMaster



  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 February 2013 - 05:19 AM


Port scan "spikes" and other interesting "activity"

Attack Traffic Overiew
- http://www.akamai.co...y/dataviz1.html
Feb 24, 2013 - 07:43AM est
89.38% above normal

- http://www.akamai.co...ethodology.html
"Attack Traffic: Akamai measures attack traffic in real time across the Internet with our diverse network deployments. We collect data on the number of connections that are attempted, the source IP address, the destination IP address and the source and destination ports in real time. The packets captured are generally from automated scanning trojans and worms looking to infect new computers scanning randomly generated IP addresses. The attack traffic depicts the total number of attacks over the last twenty-four hours. Values are measured in attacks per 24 hours (attacks/24hrs). Regions are displayed as countries or states."

- https://isc.sans.edu...l?storyid=15253
Last Updated: 2013-02-22 - "... a few days ago, we had a notable spike of port scans from Iran in our DShield database. Iran is "spiking" at times, in part because we figure only a relative number of actors are scanning from Iran. So lets see what was going on. First, a plot of the activity from Iran for February:
> https://isc.sans.edu... 2_58_37 PM.png
... the top 6 ports have almost the same number of "hits", and they are well known server ports. 179 (BGP) is in particular interesting as it is not scanned a lot and more of an "infrastructure" port. But one could expect routers to respond on 23, 22 and 80 as well. 21 and 53? Not exactly router ports. One host that sticks out for port 179 scans that day (port 179 is easier to investigatate as there are less scans for this port then the others), is . Scans originating from this particular host confirm the original picture..."

The Comment Group – Long Term Cyber Espionage...
- http://blog.shadowse...-clarification/
Feb 22, 2013 - "A cyber espionage threat group, frequently known as the Comment Group, has recently received a good bit of extra attention in the last few days... large number of domain names, IP addresses (both command & control and administrative ranges), a very large list of their trojan families (with MD5 hashes to boot), a bit of attribution aimed at outing the group as part of a particular unit within China’s People Liberation Army (PLA), and some of the group’s general tactics techniques and procedures (TTPs)...
Dynamic DNS: Non-hostile Domains but Dangerous Sub-domains... ISPs have begun contacting some of the owners of IP blocks that Comment Group command and control has been occurring from telling them that they have put 72-hour blocks to the address in place. It remains to be seen how effective those steps may be..."

(More detail at both URLs shown above.)

:ph34r: :ph34r:

Edited by AplusWebMaster, 24 February 2013 - 07:01 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...

Member of UNITE
Support SpywareInfo Forum - click the button