[Dshield] Options to research a destination IP?

K K kkadow at gmail.com
Tue May 6 03:01:07 GMT 2008


When you see "unusual" outbound network traffic, what resources do you
use to research the *destination* of that traffic?


For example, I'm looking at what sort of non-SSL/TLS traffic shows up
on TCP port 443, and I see one host making thousands of attempts to
have a conversation with a single specific IP address in China.

The destination IP address doesn't resolve, doesn't appear in a Google
or Dogpile search, and doesn't have any events in DSHIELD.  Where do I
look next?

I'm guessing this destination is C&C or "phone home" for a trojan, but
cannot confirm, the source workstation is in a remote office, nobody
is there to answer my questions today.


The client wants to talk to the server on TCP/443, but the service on
that port is not SSL, and when my device intercepts the TCP connection
from the client, the packet the client sends is strange, apparently
cleartext, but every other byte is NULL.

I'd send a sample, but there is embedded identifying information in
the packet which I cannot post to a public mailing list.


My primary question is less about this specific oddity, but rather
about any resources I should consult next time I see malformed
outbound traffic.  Are any of the various commercial services
particularly good at identifying "evil" destinations?


Thanks,

Kevin


More information about the list mailing list