[Dshield] Options to research a destination IP?

Maxim Weinstein mweinstein at cyber.law.harvard.edu
Tue May 6 12:48:48 GMT 2008


The ASN lookup at https://asn.cymru.com/ may at least give you some 
information about whose network the IP is on.

=Max=

K K wrote:
> When you see "unusual" outbound network traffic, what resources do you
> use to research the *destination* of that traffic?
>
>
> For example, I'm looking at what sort of non-SSL/TLS traffic shows up
> on TCP port 443, and I see one host making thousands of attempts to
> have a conversation with a single specific IP address in China.
>
> The destination IP address doesn't resolve, doesn't appear in a Google
> or Dogpile search, and doesn't have any events in DSHIELD.  Where do I
> look next?
>
> I'm guessing this destination is C&C or "phone home" for a trojan, but
> cannot confirm, the source workstation is in a remote office, nobody
> is there to answer my questions today.
>
>
> The client wants to talk to the server on TCP/443, but the service on
> that port is not SSL, and when my device intercepts the TCP connection
> from the client, the packet the client sends is strange, apparently
> cleartext, but every other byte is NULL.
>
> I'd send a sample, but there is embedded identifying information in
> the packet which I cannot post to a public mailing list.
>
>
> My primary question is less about this specific oddity, but rather
> about any resources I should consult next time I see malformed
> outbound traffic.  Are any of the various commercial services
> particularly good at identifying "evil" destinations?
>
>
> Thanks,
>
> Kevin
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up north if you can be in New Orleans.  http://www.sans.org/info/15826
>   


More information about the list mailing list