[127404] in North American Network Operators' Group
Very Strange - TCP SWEEP Alerts / Inconsistent with traffic on system
daemon@ATHENA.MIT.EDU (khatfield@socllc.net)
Sun Jun 27 17:23:06 2010
Date: Sun, 27 Jun 2010 17:22:51 -0400 (EDT)
From: khatfield@socllc.net
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Folks,=0A We have a strange situation occurring lately where we are getting=
some reports of TCP Sweeps from some one of our IP's, yet the IP is one of=
many specifically configured for inbound traffic and do not emit outbound =
traffic unless for response. Specifically, these are ddos mitigation IP's s=
o they are attacked fairly frequently. With this in mind, the last few days=
one of the IP's being reported has been under constant attack.=0A=0AHere i=
s an example report we received from AT&T:=0A04:29:27 x.x.x.x 0.0.0.0 [TCP-=
SWEEP] (total=3D23,dp=3D1024,min=3D212.1.185.6,max=3D212.1.191.127,Jun27-04=
:21:01,Jun27-04:29:26) (USI-amsxaid01)=0A04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEE=
P] (total=3D16,dp=3D3072,min=3D212.1.189.1,max=3D212.1.188.118,Jun27-04:21:=
15,Jun27-04:29:09) (USI-amsxaid01)=0A04:36:44 x.x.x.x 0.0.0.0 [TCP-SWEEP] (=
total=3D16,dp=3D1024,min=3D212.1.188.1,max=3D212.1.185.126,Jun27-04:29:51,J=
un27-04:35:53) (USI-amsxaid01)=0A04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] (tota=
l=3D25,dp=3D1024,min=3D212.1.190.11,max=3D212.1.189.120,Jun27-04:12:37,Jun2=
7-04:20:40) (USI-amsxaid01)=0A04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=
=3D18,dp=3D3072,min=3D212.1.189.3,max=3D212.1.186.118,Jun27-04:13:15,Jun27-=
04:20:37) (USI-amsxaid01)=0A04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=3D3=
4,dp=3D1024,min=3D212.1.191.8,max=3D212.1.191.121,Jun27-03:56:28,Jun27-04:1=
2:29) (USI-amsxaid01)=0A04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=3D28,dp=
=3D3072,min=3D212.1.186.6,max=3D213.244.176.119,Jun27-03:56:48,Jun27-04:11:=
45) (USI-amsxaid01)=0A------------------------=0AReport from DK*CERT:=0AIf =
nothing else mentioned below, timezone is believed to be UTC+0200(CEST)=0AD=
estination address(es): Adresser i nettene 130.225.16.0/22 og 130.225.2.128=
/25=0A=0ASecurity logs:=0A#Jun 27 18:13:40 2010 .. Jun 27 18:58:13 2010=0A#=
Scan from x.x.x.x affecting at least=0A# 81 addresses targeting TCP:1024, =
TCP:3072.=0A#=0A------------------------=0AI have removed our IP and replac=
ed it with x.x.x.x. To be a bit more clear, this is a reverse-proxy IP add=
ress. This IP is in a NAT type configuration where it is sent back to filte=
ring clusters. No outbound traffic is configured on these IP's except where=
requests / responses flow through it.=0A=0AI know a year or two ago there =
was a bug in Cisco IOS that would report a sweep when extreme packet load o=
ccurred or a burst hit. At the time of this report we saw an attack burst t=
o around 310,000PPS on this IP (inbound). Is it simply likely the networks =
reporting have several IP's being used in the attack and that is what they =
are seeing? That's what we originally thought but the port scans throw that=
theory off... Our security team has gone through all PCAPs during the ment=
ioned time frames and we are not showing any sort of outbound scan traffic.=
=0A=0AAny ideas why this would be showing as a sweep? Our IDS systems do no=
t scan requesting IP's originating systems. Any help is appreciated, we're =
simply trying to get to the bottom of the reports.=0A=0AKevin
