My next class:

What has Iran been up to lately?

Published: 2013-02-22. Last Updated: 2013-02-22 20:28:35 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

Going over some data earlier today, I noted that a few days ago, we had a notable spike of port scans from Iran in our DShield database. Iran is "spiking" at times, in part because we figure only a relative number of actors are scanning from Iran. So lets see what was going on. First, a plot of the activity from Iran for February:

port scans from Iran over February 2013

Click on the image for the full size. This data is fairly "rough" as it is just counting number of dropped packets. This could be one host sending the same packet over and over to the same target. (ok... about 2-3 Million times on the peak days)

Lets look at the ports affected next. Below you will see the data for February 16th:

 

+------+--------+
| port | count  |
+------+--------+
|   21 | 466735 | 
|   53 | 465751 | 
|   23 | 458511 | 
|   22 | 457712 | 
|   80 | 455077 | 
|  179 | 453416 | 
| 3389 |   5750 | 
|  445 |   4926 | 
| 4614 |   4721 | 
| 5900 |    356 | 

This is getting a bit more interesting. the top 6 ports have almost the same number of "hits", and they are well known server ports. 179 (BGP) is in particular interesting as it is not scanned a lot and more of an "infrastructure" port. But one could expect routers to respond on 23, 22 and 80 as well. 21 and 53? Not exactly router ports.

One host that sticks out for port 179 scans that day (port 179 is easier to investigatate as there are less scans for this port then the others), is 213.217.37.102 .

Scans originating from this particular host confirm the original picture:

 

+------------+---------+---------+
| targetport | reports | targets |
+------------+---------+---------+
|         21 |  386903 |     368 | 
|         22 |  379809 |     363 | 
|         23 |  380493 |     365 | 
|         53 |  387051 |     365 | 
|         80 |  374014 |     360 | 
|        179 |  378105 |     366 | 
+------------+---------+---------+
Interesting that the number of reported targets is rather small. Each target IP receives about 1,000 packets. But not all submitters report distinct target IPs and rather include a "dummy target IP" instead.
 
Sadly, we don't have any reports about the nature of the activity. Our ssh honeypot database is empty for this IP (and the /16 that goes with it). So if you have an ssh honeypot... check it ;-) and let us know what you find.
 
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: iran
4 comment(s)
My next class:

Comments

Interesting that port 179 (BGP) is on the list (though at #6), but perhaps the Iranians want to disrupt and/or corrupt BGP tables in routers or other devices, creating a mess on the internet?

Hmmmm
That reminds me of HFT methods. Does anybody correlate port attacks with HFT 'attacks'? http://www.nanex.net/aqck/aqckIndex.html
Attack Traffic Overiew
- http://www.akamai.com/html/technology/dataviz1.html
Feb 24, 2013 - 07:43AM est
89.38% above normal...
.
Makes me wonder if someone is trying to cause problems for Juniper routers....

http://junosgeek.blogspot.com/2013/02/junos-out-of-cycle-security-bulletin.html

Diary Archives