Re: Traffic To dark address space

[Ken Swain <ken () kenswain com>]

I have found the originating system. On the date it started the box  
tried to connect to random host on port 137 and then scanned dark  
address space. I have done  virus scans and root kit detection and  
those came up clean.

On May 23, 2007, at 12:20 AM, Murda Mcloud wrote:

> I have seen an increase in drops on our perimeter too-at least 50%  
> up from
> last month. The number of blocked addresses is higher than I have  
> ever seen
> it. Ports are weird but whatever is doing it keeps knocking at the  
> same door
> over and over again:
> Different ports though:
> 45458 45459 45074
> 22081
> 2814 etc
>
> I don't know if it is related or not. How do you define dark space?  
> The way
> I've pictured it is IP ranges/addresses that either come and go at  
> very
> short notice and/or when they have not been legitimately assigned.
> -----Original Message-----
> From: listbounce () securityfocus com  
> [mailto:listbounce () securityfocus com] On
> Behalf Of Ken Swain
> Sent: Wednesday, May 23, 2007 6:49 AM
> To: security-basics () securityfocus com
> Subject: Traffic To dark address space
>
> Group,
>
> I am seeing tons of drops on my firewall and IPS correlated threw my
> SIM to and from Dark Address space. Not all machines on my network
> are doing this, but enough are that it is becoming a massive amount
> do deal with.
>
> I have done a Virus scan and patch check on the boxes and they all
> came up clean. All this traffic started with in the past month and
> has steadily increased. The ports are 137, 9100, 113, 67,27604 and
> 27605. It appears to hit a block of dark address space and then move
> on to anouther only to come back later.
>
> Any ideas?
>
> --Ken