[unisog] anyone else seeing lots of popup spam/malware? re skype

Peter Van Epp vanepp at sfu.ca
Thu Oct 27 16:55:21 GMT 2005

	Yep, our supernode (they do seem to be able to limit themselves to 
one per site) does some 250,000 distinct host/port pairs in 24 hours along
with about 1.5 gigs of traffic on the charged commodity link. Our Packeteer
on that link is classifying and in theory limiting to 8 64K partitions but 
that still doesn't appear to be discouraging super node election. The 1.5 gigs
per day is pretty constant too (I had a supernode where the owner was out of
town for two weeks and it continued to do 1.5 gigs per day to 250K hosts with
no one using the machine) before the packeteer started limiting the traffic. 
While this works well for skype I do wonder why we are subsidizing their 
bandwidth (in a lot of cases probably because the people don't know they are 
subsidizing the bandwidth because they don't have argus)...

Our hosts scanning:

    142.58.xxx.x            218,452            201,165  
   142.58.xx.xxx             18,760             13,546
   142.58.yy.yyy             15,803              8,582
    142.58.xx.zz             15,784              8,793

	The first number is connect attempts, the second successful connections
which is usually how to tell skype from p2p, #1 is the skype supernode (also
looking for traffic to port 33033 will also tell you that) the other 3 are 
wireless p2p users (with about a %50 success rate). None of those are 
interesting only our hosts scanning without getting a lot of replys (which may
indicate a compromise) are interesting and given the netbios ports are blocked
and logged internally elsewhere this usually stays uninteresting although not
	The traffic level isn't all that high though (and some of this will be
other than skype traffic and there is more on the CA*net4 link but that doesn't
attract traffic charges which this does) after the Packeteer finishes with it
although I would have thought it would have decided we are an uninteresting 
supernode due to not enough bandwith available.

Fri.com_argus.all.hosts:142.58..xxx.x          276,790,376 Tot       146,773,083 Out 130,017,293 In
Mon.com_argus.all.hosts:142.58..xxx.x          942,535,106 Tot       497,952,296 Out       444,582,810 In
Sat.com_argus.all.hosts:142.58..xxx.x          399,256,219 Tot       214,555,502 Out       184,700,717 In
Sun.com_argus.all.hosts:142.58..xxx.x          860,002,992 Tot       460,702,335 Out       399,300,657 In
Thu.com_argus.all.hosts:142.58..xxx.x          569,947,040 Tot       300,907,988 Out       269,039,052 In
Tue.com_argus.all.hosts:142.58..xxx.x          978,449,914 Tot       494,312,816 Out       484,137,098 In
Wed.com_argus.all.hosts:142.58..xxx.x        1,019,336,645 Tot       532,926,779 Out       486,409,866 In

	Of course if we manage to get a couple of supernodes (in different 
address spaces assuming they recognize our B as one site) that may be a 
different story but so far they seem to be limiting themselves to one supernode
for the entire site which isn't a huge concern.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

On Thu, Oct 27, 2005 at 11:49:32AM -0400, Gary Flynn wrote:
> Peter Van Epp wrote:
> > 	Turns out I was as usual incorrect. There are both a DNS request and
> > some skype traffic 
> Speaking of Skype, I recently received security alerts about
> a desktop. Turns out it configured itself as a Skype supernode.
> In a 30 minute period, it was contacted by over 10,000
> computers in 32 different countries.
> -- 
> Gary Flynn
> Security Engineer
> James Madison University
> www.jmu.edu/computing/security
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list