[Dshield] unusual port 25 traffic

Robert Ungemach Robert.Ungemach at Ctxmort.com
Wed Jan 25 21:08:43 GMT 2006


 Has anyone seen anything like this one.

We are receiving large bursts of port 25 traffic to our smtp gateway
server.  The source servers are 85.197.143.118, host-navab6-21.navab.net
(80.84.35.21, host-navab6-242.navab.net (80.84.35.242), and
xDSL-43-171.citynetnassjo.se (80.84.43.171).

The connect on port 25 and burst a send/receive.  Between 7-12 gig of
data in both directions.  The last record of throughput is about 35mbps
in both directions. (errors are recorded on both the inside and outside
interfaces.) This burst maxes out our border router CPU, a Cisco 2821,
to the point were the router becomes unresponsive and we loose internet
connectivity. This generate a high volume of input errors and ignored
packets on the interface.  We removed BGP in an attempt to keep us up in
the internet.  We have checked everything under the hood and had the
configs on all equipment double-checked.

We have a TAC case open, but cannot find an issue with the hardware, we
have replaced it just in case.  

Our IPS doesn't report anything associated with these addresses.  We
have searched our smtp logs and cannot find an entry showing we received
email from the source IP addresses. 

Yet another interesting point, the traffic between these host is fairly
close in both directions, which is not typical for our inbound smtp.
Usually it is mostly a one-sided conversation.  If we receive 12.0 GB of
data we transmit back 11.75GB of data.  This is recorded via netflows.

We have scanned the boxes with AV, scanned with Nessus, we can seem to
find them compromised.

Sniffer has been set up and we are waiting for another burst.  We cannot
find a pattern to the traffic.  We can go a couple of days/hours/minutes
before another burst.

Any thoughts greatly appreciated.
 
Robert Ungemach
Sr. Network Engineer
CTX Mortgage Company, LLC
214.758.7741 - Office

Communications Group -



More information about the list mailing list