background noise of the internet - apnic › 48 › assets › files › apic... · a few hosts...
TRANSCRIPT
Background noise ofthe Internet
Matsuzaki ‘maz’ Yoshinobu<[email protected]>
APNIC48 [email protected] 1
I receive a packet because it’s:
• A part of my communication (^_^)
• Something else (T_T)
• Those ‘something else’ are considered as background noise of the Internet, mostly unwanted traffic.• Every internet facing host is receiving such packets
Today’s topic
APNIC48 [email protected] 2
PPP-EXP
• This study is conducted by Pool Protection Project (PPP-EXP)
• PPP-EXP was started by IIJ and JPNIC to protect the JPNIC free IPv4 pool from abuse• https://www.attn.jp/ppp/
• The setup• Announcing prefixes by AS2522• Monitoring and discarding packets to the prefixes• Simple zone file for the reverse zones
• only SOA and NS (no PTR records)
APNIC48 [email protected] 3
Classifications of noises
• The sender is an initiator• Scanning• Virus spreading• Attacking• Something mistake
• The sender is a reflector• Victim of IP spoofing attack
• SYN-Flooding and etc.• Something mistake
APNIC48 [email protected] 4
The sender is an initiator
• Intentionally sending traffic to ‘us’
��
APNIC48 [email protected] 5
sender=
initiator
The sender is a reflector
• The original sender sends an IP spoofing packet to a host, and the host then send *back* a reply to ‘us’
��
The source address of the packet is spoofed
as ‘us’
APNIC48 [email protected] 6
sender=
reflector
Disclaimer
• I don’t know the actual intent of the packets, so the most of reasons mentioned in this slides are my ‘guess’• The fact• We receive some amount of packets on the Internet
facing hosts• Guesses• Scanning• Reflections• Weird implementations• Mistake
APNIC48 [email protected] 7
The data
• Duration: 2019/01/10 00:00~24:00(JST)• Fully captured incoming packets toward the
prefixes• many pcap files
• about 6 hunreds million packets• 2758 packets/host/day
APNIC48 [email protected] 8
Mostly TCP packets
TCP 95% (577340492) UDP 4% (26945104)ICMP 1% (3897454) IP6 0% (2153)
APNIC48 [email protected] 9
And mostly TCP-SYN
SYN 98% (563062001) SYN-ACK 2% (12229116) OTHER 0% (2049375)
APNIC48 [email protected] 10
The TCP Flag variations• SYN 563062001
• SYN-ACK 12229116
• SYN-ECE-CWR 941603
• RST 555637
• RST-ACK 293503
• ACK 106575
• SYN-ACK-ECE 52175
• SYN-ACK-ECE-CWR 44801
• FIN-SYN-RST-PSH-ACK-URG 21745
• SYN-ACK-CWR 10423
• PSH-ACK 9532
• FIN-PSH-ACK 4434
• SYN-RST 4258
• FIN-ACK 2817
• RST-ECE 502
• RST-ECE-CWR 445
• RST-CWR 433
• SYN-PSH 364
• none 63
• RST-PSH 32
• FIN 17
• PSH 6
• PSH-ACK-URG-CWR 3
• FIN-SYN-RST-ACK-URG-CWR 2
• FIN-RST-PSH-ACK-URG-CWR 1
• SYN-PSH-CWR 1
• CWR 1
• FIN-SYN-RST-PSH-ACK-URG-CWR 1
• RST-PSH-ACK-ECE-CWR 1
APNIC48 [email protected] 11
The major destination ports
TCP-SYN destinations• 23 73958566• 52869 34724310• 8545 14738763• 22 13507821• 445 11378107• 80 10794925• 8080 9323605• 4776 7615618• 4784 7602022• 1433 5755354
UDP destinations• 389 2445405• 4776 2381843• 4784 2354203• 1900 2287302• 50328 1191988• 50592 1190070• 50336 1188298• 50584 1180976• 11211 1064441• 19 754180
APNIC48 [email protected] 12
Packets distribution: SenderTh
e nu
mbe
r of o
ccur
renc
es
The number of packets sent by a source
Many hosts sending a few packets
A few sending a LOT
APNIC48 [email protected] 13
A few hosts sending a lot of packets• Ukrainian IP (31609992 packets)• TCP-SYN to TCP/1025-10000
• USA IP (10793632 packets)• TCP-SYN to TCP/52869
• Dutch IP (10572421 packets)• TCP-SYN to TCP/52869
• HongKong IP (7330971 packets)• TCP-SYN to TCP/3031 and other 546 ports
• Ireland 8 IPs (total 51607564packets)• TCP-SYN to TCP/53601-60800
APNIC48 [email protected] 14
TCP/23 scannersTh
e nu
mbe
r of o
ccur
renc
es
The number of packets sent by a sourceAPNIC48 [email protected] 15
Existing around here
Security services based on scanning results
• Many others, and each of them is scanning you• More new services means more scanning packets
to your networkAPNIC48 [email protected] 16
Many hosts sending a few$%. . # % b8 b%, #% #% #,# $ , b1b %%#%#%%#% # .b@5 b LT ZOb%$
$]$$$$.bb $b$$, b Kb $$$b $%%b $ %bIK Mb $,bb6### ;2#$# #####
$]$$%$.bbK $%b$II%b K b% ,b$$ $b b %b %bb######### #K%.
$]$$ $.bb b b b $ b M $b$L b ,bM%L bbK .PK $.U # C ##
$]$$ $.bbL, MbM%% b I MbIL $b , bK MLb b Lbb##### ##]### .PT
$]$$ $.bb Mb M ,b % b , b $ b M $b$L%Mb % bbMU O O $.U ## A
$]$$ $.bbI, Lb%$,,bI$L,bI b I Lb$M $b M b %bb#a#####.DT#$##L%
$]$$ $.bb %b b b Mb $ b b %b bb.W . LZ LLX %.Z
$]$$ $.bb b b % b b b $%b$% %b bb .#4%.[ .: ##%.
$]$$,$.bb % b % bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb%.WL
$%. . # ,%%b8 b%, #% #% #,# $ , b1b %%#%#%%#% # .b@5 b LT ZOb $
$]$$$$.bb $b$$ $b $ b $$$b $%%b L MbIK Mb $,bb6##$ #2#$#T ####
$]$$%$.bbK $%b$II%b K b% ,b$$% bIL%$b %$$b L bb############3#T#
$]$$ $.bb,KL b b$$$$b$$$$b$$$$b$$$$b % b$$$$bb##_ ######## ###
$%. . $# , b8 b%, #% #% #,# , %$b1b %%#%#%%#% # .b7 bD>F b LW%, %% b¥PTb bU ZPUT bDS % , <9 >b[ , bL X $ TU ¥ Lb F b
LT ZOb$
$]$$$$.bb $$b$$ b I b $$$b $$ b M KbIK Mb $,bb6##0 2#$##F####
$]$$%$.bbK $%b$II%bIKL b% ,bMK Lb b$$$$b$$$$bb#########T######
$]$$ $.bb $$ bMMMM K b$$$$b$ $ b$ ,b$ $ b$,$ bb####FP##########
$]$$ $.bb$$ bM I b$$$$b$$$$b$%$ b$ $ bbbbbbbbbbbb# ##########
$%. . %#,% %b8 b%, #% #% #,# , %$b1b %%#%#%%#% # .b7 bD>F b LW%, %% b¥PTb bU ZPUT bDS % , <9 >b[ bL X $ TU ¥ Lb F b
LT ZOb$
$]$$$$.bb $$b$$ b I b $$$b $$ b M bIK Mb $,bb6##0 2#$##E####
$]$$%$.bbK $%b$II%bIKL b% ,bMK Lb b$$$$b$$$$bb#########T######
$]$$ $.bb $$ bMMMM K$ b$$$$b$ $ b$ ,b$ $ b$,$ bb####F###########
$]$$ $.bb$$ bM %Ib$$$$b$$$$b$%$ b$ $ bbbbbbbbbbbb# ##########
They send UDP packets, and then send TCP-SYN to the same destination port
Probably... BitTorrent!APNIC48 [email protected] 17
This might be a P2P as well-/7/07/4+./3204vEKv./2+43+3.+.65+20142v;v/.6+.-.+..2+/-/+4337vNAK)vd]f_k`v145
-n----7vv12--v-.^Yv3Z-¥v1---v03..v[¥Y0v4¥1[v0¥[3vvB+++c+=+3+++rH:+
-n--.-7vv¥Z32v40[Yv¥-]0v-/^]v-.]3v]1]Yv155¥vY¥05vv+]j+++++++++D++5
-n--/-7vv[/.Yv3.]/v[.50v[11]v^.3/v[..6v665¥v¥/34vv++Y++++J+Z+++++_
-n--0-7vv20]Yv¥2Z[v4456vZ[^6v]0Z2v.Y.1v34--v/566vvL+++m+++++++_+&+
-n--1-7vv0..0v2155v-][6v4/0]v15/]v[][6v66.Zv-^^2vv.+M+++i;D+++++++
-n--2-7vv--45v1¥3^v464/v]53[v2¥^.v5¥Z-v¥/-.v.5[/vv+nIgoi+dU+++++++
-n--3-7vv..05v5-]4v4.¥2v[1Y1v[-Z]v/Z0^vY0Z]vZ[]¥vv+5++h+++++(<++++
9t ;
-n-.5-7vv]6Z.v-165v.-/6v¥]43v¥2^4v4ZZ¥v.[..v-Y1/vv+++++'+l++q++++?
-n-.6-7vv-[Y3vZ]Z2v266[v2¥^Yv/¥Z-v5Y54v3]3^v2]24vv++++ +U+ +++fgVP
-n-.Y-7vvY-]-v3^/^v551¥vY12¥v[06]v662]v/]Y/vY-0Yvv++g,+I+U+++V+++7
-n-.Z-7vv[4¥¥v3]6^v^51Yv.Y/2v4Y/0v/Z]4v./-5vZ]Z.vv++f++F+# !(+++++
-n-.[-7vv34/¥v¥^]]v^5-0v[Y0ZvY.30v66[]v51Z5v54[Zvv_ +++++8+[++++++
-n-.¥-7vv62^1v3Y5¥vZ]-0v0.05v/32Zv.^04v3/2[v3415vv++b+++.5$S+4ZT_D
-n-.]-7vv-513v03^^v[44^v0Z]4v3.20v0331v-ZZ[v/^6^vv+C3+++8+YL3¥++,+
-n-.^-7vv0..6vYZ]]v.Z¥Zv/3Z^v03[0vvvvvvvvvvvvvvvvv.+++++$+3+
-/7/0714+245.55vEKv.4.+03+10+5+0-501v;v/.6+.-.+..2+/-/+4337vNAK)vd]f_k`v15/
-n----7vv12--v-.^]v3Z-^v1---v00..vZ250vYZ/1v/Z-5vvB+++c+=+0++++"(+
-n--.-7vv¥Z32v40[Yv454/v-/^]v-.]Yv//.Zv3]5]vZ/34vv+]j+ni++++ +f++_
-n--/-7vv]^]3v¥Z-¥v¥6/3v6[54v/5[6v31Y1v61]3v^.[^vv+++++$++&+¥+++++
-n--0-7vv]]3-v3623v5[¥2v3].4v.11Yv204]v5/Y4v.2[6vv+ a ++f++FLs++++
-n--1-7vv40¥5v3ZY3v[Z[]v¥0[6v0^1/vZ6Z1v01[4v^..[vvj+c+++++<?++1+++
-n--2-7vv6/03v3./4v3[4Yv344.v.¥]0vY/Y.v6Z^[vZ651vv+3Y%d _h++++++++
-n--3-7vv-^/2v0113v¥Z1¥v04-1v[610v45Y5vZ244v0^^[vv+#1C+I4++@n++m<+
9t ;
-n-.5-7vv]¥^4v35]Zv[¥Y6vZ-4/v[3[.vY//.v322]v0--4vv++`++++i+++ ]V-+
-n-.6-7vv6]¥0v[023v]/.Yv0Z.Zv^641v[61.v]¥2^v]Y2Yvv+++ ++8++k+>+W+
-n-.Y-7vv¥220v[1/0v^Z41v.1[/vZ2Z2v3/66v.06.v6^Z-vv+L+!+k++++Z+++++
-n-.Z-7vv]03/v-3[3v^Y1.v3-^1v01Y5v02Y-v53/-v^Y2[vv+Z+++> +1+2++++T
-n-.[-7vv^.Z]v^¥3[vZ/..vY¥]3v[2.-v4^24v/-6¥v-450vv+++d+++++++P++++
-n-.¥-7vv^^5Zv1646v1Z/5v3¥4^v[^//v.^23v[-65v0.Z.vv++Eo &e++ + ++.+
-n-.]-7vv¥3/]v6[-5v0]1Yv]¥5/v¥53[v¥5^4v-6¥]v^654vv++++;F+++d++++++
-n-.^-7vv]5[.v-.01v]5][v0/Z5v5¥[^v5¥1¥v35Z¥vvvvvvv+++1++/++++I`+
APNIC48 [email protected] 18
Many hosts sending a few
• There might be a wrong node information in the P2P network.• Based on that, many hosts are trying to connect the *nodes*• I guess users of the senders are not aware of this
• Why such a wrong node information?• Someone made mistake on his/her configuration?• Someone is attacking the P2P network by injecting wrong
nodes?
• The number of unique senders might be indicating the number of P2P users
APNIC48 [email protected] 19
Packets distribution: Receiver
APNIC48 [email protected] 20
Average 2758 packets/host
A few hosts arereceiving a lot
The
num
ber
of o
ccur
renc
es
The number of packets received by a host
A few hosts receiving the most of many packets from the many hostsProbably by a P2P application based on wrong nodes information
APNIC48 [email protected] 21
The
num
ber o
f occ
urre
nces
The number of packets received by a hostThe number of packets sent by a sender
Oh, yes. I see IP6 (41) packet0, 3 00) " , 0 ) , -.,0, 2
) 0
) 30 " . 2 - 4), ") 0 " " - 1 ,(
.,10 . ,) 0 0 , ) 0
3 "
3 "
3 "
3 " 2
3
The PTR record of the sender looks like a HTTP server -> www134.cs.uic.edu
Seems like it’s searching a router
APNIC48 [email protected] 22
This explains that
APNIC48 [email protected] 23
IP6 (41) 6to4 packet(,1'.1')&(-..)-]8 ] ' '$] ),($]KF]((0-)$] ]'$] CI ] 57 $] T ]8 X-] ( $]PI ]0)
(0)& &00&(]2](, &)''& )& 1]8 -] CD ' ).-- $] KO () $]P CF T] 4 ] - ]C[ CF] PI 1] ) ]) ' 1- ''1 '',1 '011)'' & ]2])'')10 E 1)')E110 E 1)')E&-,)- 1]
7 CI ] & $]E O ' )-E(] E TT E $] S ')(),-'.$]CE ]).,00,.,(,$] KP]).)''$] K P ]O ( -'$P $P $ CE :9$P $ EC ] $] PI ]'
' ''''1 ,'']'',E]) DC] '''] D)0]- .']E', ]- '( 6&&@&&3&& P &>E&
' ''('1 0 E ])')E]-'')].-- ]'')']'-.E]) ' ]- '' &&&$ &XP&&&¥ & &
' '')'1 '',]' '0]'''']'''']''''])'' ])'')]0 E 3&&&&&&&&&&&&&&&
' '' '1 )')E]'''']'''']'''']0 E ])')E]'(DD] &$&&&&&&&&&$&&&&
' '' '1 (. .] ).]C (]0E'D] '()]-C '])-E(]'''' &&& &&&&&& 3 &&&
' '','1 ')' ]',,']'('(]' ')]'(' ]' ' &&& &&&&&&&&
APNIC48 [email protected] 24
6to4 reflections
• Someone is using 6to4 with an IPv4 address from our prefix, and we got a reply
��
Using 6to4with wrong IPv4 address
configuration
6to4 relay
APNIC48 [email protected] 25
6to4 reflections
• Guesses• Configuration error and weird implementation made
6to4 enabled, and the host tried to access the Internet through it?• Someone using 6to4 space for IPv6 SYN-flooding?
• We also observe ’ICMP6 TTL expired’ packet related to 6to4
APNIC48 [email protected] 26
Sudden traffic
• 300Mbps toward a single destination on 6/11/2018
• Many sources from different countries and economies
• UDP, random source and destination port
• Don’t fragment, 1052 bytes
APNIC48 [email protected] 27
The sudden traffic
• Firstly I assumed a P2P, but it looks strange• I couldn’t feel the intent of ‘commutation’ from the
payloads• That’s just my feeling
• So I counted• The byte distribution of the payload
APNIC48 [email protected] 28
Analysis of the sudden traffic
• The payload is totally random• No intention for communication
• OK, I suppose this a DDoS attack• But to the destination that is not serving anything?• Just mistake?
• Lesson learned• Without any particular reason, sometimes you suddenly
become a target of DDoS
APNIC48 [email protected] 31
There was this kind of packet as well..- - , P45P , P0P , -P625 P D I P
-PP P , P< P P> P > P <P9 9<PP3 E 8
-PP<: P ;9P P< 9 P 9P P P PP > 11
-PP P P P P > P < P ;P ; PP1111 ;< I
-PP P >P P >P P P ; ;P PP;< 9 D ;
/ DA 0
-PP P P P P P P P : PP< I>I .
-PP P P P P P :P P PP I>I . >I
-PP P P < P <P P P > P , <PP I 9DED
-PP > P P < P P >P ,P < >P PPE 9DED E
-PP <P P P P P P P PP 5
-PP P P P P P P P PP >I >
-PP P P P : P P P P PPI . >I
-PP P P P P P P P PP I>I I>I
, -PP P P P P P P 9PPPPPPP >I
;<P I P P;<P 9 DP P;<P DIP P;<P EEIP P;< .
IP II - 777 :AD .
; E< P:AD .
P:AD .
I>I P 777 ; I I>I .
; E<P PI>I .
PI>I .
I>I P PI>I P 777.
; E<P PI>I .
I>I .
>I P IP P P9DED E P P9DED E P 5P P 777P>I P>I .
>I PI>I PI>I P>I
APNIC48 [email protected] 32
Summary
• We have background noise in the Internet (IPv4)• Malicious activities are observed• Yes, of course
• Security service providers are also scanning you• Some other non-intentional or aftereffect-ish
activities are also happening in the Internet• If you are unlucky, you might receive many packets
without any particular reason
APNIC48 [email protected] 33