Traffic increase for port UDP/8247
Last Updated: 2009-01-21 15:18:12 UTC
by Raul Siles (Version: 3)
We got reports of a significant traffic increase associated to port UDP/8247 starting yesterday. Thanks to Ian and John for the early warning.The peak can be seen in our Dshield graphs too. It seems to be related with CNN's streaming service broadcasting the Obama events mentioned in yesterday's ISC diary. Based on multiple reports, CCN seems to be using Octoshape's P2P plug-in with Flash.
The traffic looks like P2P based on the number of endpoints, one or both end ports are UDP/8247, and the packet size seems to be constant (streaming traffic). In the samples we got it has a UDP payload of 1043 bytes.
the purpose of this diary is to let you know this activity is going on. Having said that, please, do not simply ignore this kind of traffic because of this diary. It would be easy for an attacker to hide his actions on this port if we simply ignore it.
UPDATE: A couple of reference, here and here, about how Octoshape's Flash tool looks like from the end user perspective.