[Dshield] Port 3771 -- RTP Paging Protocol

Jon R. Kibler Jon.Kibler at aset.com
Sat Feb 18 22:05:58 GMT 2006


Hello,

Looking at yesterday's in-house summary of traffic blocked at our border router, a new port jumped to the #3 position on the list. We had several hundred probes to this port yesterday (all of which were submitted to DShield, but <20% of which appeared in our daily dshield report) and the whacking continues today. Checking back in our logs a few weeks, we see where this has been going on for several weeks, but prior to yesterday, it was lost in the noise because the hits were so rare.

Interestingly, yesterday most hits were to a single IP -- a static IP that we have had allocated for many years, but which has never been used. About 80% of all probes originated from a single IP (see below). Today, the probes are originating from a wider variety of sources.

To try to figure out what was going on, we set up a sandbox and did a static NAT from the probed IP+port to that box. On the sandbox, we set up a nc listener and started an ethereal capture too.

>From what we are seeing, this appears to be something related to P2P networks. At least, that is my best guess. For example, most of the output captured is either 0 length, or 90 to 94 bytes in length. Running 'strings' against the file shows text strings such as:
	zbercaaat
	mldonkey
	K2800
	saugi
	kkclul
Since mldonkey is a P2P system, I am presuming the rest are too.

If you would like to take a look at what we have captured in our sandbox over about a 2 hour period of time today, I have put a tarball at: http://www.aset.com/aset/tcp3771.0-12.tar.gz  I will leave it up for about a week.

Meanwhile, anyone have any ideas on why the sudden burst of activity and how they determine what IPs to target?

Thanks in advance for your feedback!

Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214


Yesterday's hits:
  Count  Percent IP
>   351  78.88%  83.50.134.3
>    12   2.70%  82.82.174.237
>    10   2.25%  80.140.166.187
>     8   1.80%  82.212.35.212
>     7   1.57%  84.174.142.141
>     7   1.57%  217.115.141.56
>     5   1.12%  84.174.148.77
>     5   1.12%  84.173.240.91
>     5   1.12%  84.173.214.61
>     5   1.12%  84.173.212.241
>     4   0.90%  84.173.218.91
>     4   0.90%  82.83.60.182
>     4   0.90%  69.60.109.63
>     3   0.67%  84.162.118.170
>     2   0.45%  84.58.219.187
>     2   0.45%  66.227.102.108
>     1   0.22%  84.173.202.13
>     1   0.22%  84.166.173.97
>     1   0.22%  82.83.102.34
>     1   0.22%  69.60.97.125
>     1   0.22%  4.78.220.192
>     1   0.22%  220.116.49.50
>     1   0.22%  216.39.127.97
>     1   0.22%  209.104.200.207
>     1   0.22%  209.104.200.199
>     1   0.22%  209.104.200.177




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list