10 May
2017
10 May
'17
1:26 p.m.
On Wed, May 10, 2017 at 11:15:45AM -0700, Tom Hayward wrote:
How many of those packets are to known destinations?
From past samples, not many. For example, a previous
sample showed 5400 to known hosts out of 3.6 million captured.
Have you inspected the contents at all to see if there
are similarities?
Yes. The majority of the packets are TCP open requests with no data,
mostly to ports 23 and 80.
A significant number are UDP to port 53, which could be probes or it
could be innocent hosts trying to look up the names of hosts they
are receiving IBR packets from.
Part of the difficulty in analyzing these is that tcpdump is SLOW; it
can take a very long time to display all the packets in order to do
statistical analysis. Also, the capture size is only 40 bytes; we'd
have to re-do the capture with a larger capture size in order to get
the full packet decode.
- Brian