[Dshield] Odd P2P traffic patterns

Andrew Blair Andrew.Blair at genmills.com
Fri Feb 2 18:35:58 GMT 2007

We block all known P2P traffic at our IPS devices, both inbound and
outbound. Recently, we've seen an increase in inbound Gnutella traffic
directed at a handful of IP addresses. In some cases there is no PC at
that IP address, sometimes there is.  We've carefully checked the PCs at
the IP addresses and have found no P2P software or rootkits, and
re-imaged one PC that was having some additional issues. 

Since we block both inbound and outbound traffic, it isn't getting
through, but what is perplexing is why those IP addresses would be
targeted in the first place when no Gnutella traffic has left our
network from those IP addresses.

There are many IP addresses (~1000 today) each sending 1-5 events to (7
today) internal IP addresses for a total of about 2300 events. A couple
of addresses are receiving by far the brunt of the traffic, but the
favorite target has rotated day to day. The winning address today has no
PC at that address and has about 1500 events targeting it.

Has anyone else seen unsolicited P2P activity or have any insight on
what is going on? IPS false positive? Some sort of malware using P2P for
scanning/spreading? This started about 10 days ago.

ISS Proventia detects events as: 
TCP_Probe_Gnutella, dest port TCP 6346, varying source port.

Andy Blair

More information about the list mailing list