background noise of the internet - apnic › 48 › assets › files › apic... · a few hosts...

Background noise ofthe Internet

Matsuzaki ‘maz’ Yoshinobu<[email protected]>

APNIC48 [email protected] 1

I receive a packet because it’s:

• A part of my communication (^_^)

• Something else (T_T)

• Those ‘something else’ are considered as background noise of the Internet, mostly unwanted traffic.• Every internet facing host is receiving such packets

Today’s topic


PPP-EXP

• This study is conducted by Pool Protection Project (PPP-EXP)

• PPP-EXP was started by IIJ and JPNIC to protect the JPNIC free IPv4 pool from abuse• https://www.attn.jp/ppp/

• The setup• Announcing prefixes by AS2522• Monitoring and discarding packets to the prefixes• Simple zone file for the reverse zones

• only SOA and NS (no PTR records)


Classifications of noises

• The sender is an initiator• Scanning• Virus spreading• Attacking• Something mistake

• The sender is a reflector• Victim of IP spoofing attack

• SYN-Flooding and etc.• Something mistake


The sender is an initiator

• Intentionally sending traffic to ‘us’

��


sender=

initiator

The sender is a reflector

• The original sender sends an IP spoofing packet to a host, and the host then send *back* a reply to ‘us’

��

The source address of the packet is spoofed

as ‘us’


sender=

reflector

Disclaimer

• I don’t know the actual intent of the packets, so the most of reasons mentioned in this slides are my ‘guess’• The fact• We receive some amount of packets on the Internet

facing hosts• Guesses• Scanning• Reflections• Weird implementations• Mistake


The data

• Duration: 2019/01/10 00:00~24:00(JST)• Fully captured incoming packets toward the

prefixes• many pcap files

• about 6 hunreds million packets• 2758 packets/host/day


Mostly TCP packets

TCP 95% (577340492) UDP 4% (26945104)ICMP 1% (3897454) IP6 0% (2153)


And mostly TCP-SYN

SYN 98% (563062001) SYN-ACK 2% (12229116) OTHER 0% (2049375)


The TCP Flag variations• SYN 563062001

• SYN-ACK 12229116

• SYN-ECE-CWR 941603

• RST 555637

• RST-ACK 293503

• ACK 106575

• SYN-ACK-ECE 52175

• SYN-ACK-ECE-CWR 44801

• FIN-SYN-RST-PSH-ACK-URG 21745

• SYN-ACK-CWR 10423

• PSH-ACK 9532

• FIN-PSH-ACK 4434

• SYN-RST 4258

• FIN-ACK 2817

• RST-ECE 502

• RST-ECE-CWR 445

• RST-CWR 433

• SYN-PSH 364

• none 63

• RST-PSH 32

• FIN 17

• PSH 6

• PSH-ACK-URG-CWR 3

• FIN-SYN-RST-ACK-URG-CWR 2

• FIN-RST-PSH-ACK-URG-CWR 1

• SYN-PSH-CWR 1

• CWR 1

• FIN-SYN-RST-PSH-ACK-URG-CWR 1

• RST-PSH-ACK-ECE-CWR 1


The major destination ports

TCP-SYN destinations• 23 73958566• 52869 34724310• 8545 14738763• 22 13507821• 445 11378107• 80 10794925• 8080 9323605• 4776 7615618• 4784 7602022• 1433 5755354

UDP destinations• 389 2445405• 4776 2381843• 4784 2354203• 1900 2287302• 50328 1191988• 50592 1190070• 50336 1188298• 50584 1180976• 11211 1064441• 19 754180


Packets distribution: SenderTh

e nu

mbe

r of o

ccur

renc

es

The number of packets sent by a source

Many hosts sending a few packets

A few sending a LOT


A few hosts sending a lot of packets• Ukrainian IP (31609992 packets)• TCP-SYN to TCP/1025-10000

• USA IP (10793632 packets)• TCP-SYN to TCP/52869

• Dutch IP (10572421 packets)• TCP-SYN to TCP/52869

• HongKong IP (7330971 packets)• TCP-SYN to TCP/3031 and other 546 ports

• Ireland 8 IPs (total 51607564packets)• TCP-SYN to TCP/53601-60800


TCP/23 scannersTh

e nu

mbe

r of o

ccur

renc

es

The number of packets sent by a sourceAPNIC48 [email protected] 15

Existing around here

Security services based on scanning results

• Many others, and each of them is scanning you• More new services means more scanning packets

to your networkAPNIC48 [email protected] 16

Many hosts sending a few$%. . # % b8 b%, #% #% #,# $ , b1b %%#%#%%#% # .b@5 b LT ZOb%$

$]$$$$.bb $b$$, b Kb $$$b $%%b $ %bIK Mb $,bb6### ;2#$# #####

$]$$%$.bbK $%b$II%b K b% ,b$$ $b b %b %bb######### #K%.

$]$$ $.bb b b b $ b M $b$L b ,bM%L bbK .PK $.U # C ##

$]$$ $.bbL, MbM%% b I MbIL $b , bK MLb b Lbb##### ##]### .PT

$]$$ $.bb Mb M ,b % b , b $ b M $b$L%Mb % bbMU O O $.U ## A

$]$$ $.bbI, Lb%$,,bI$L,bI b I Lb$M $b M b %bb#a#####.DT#$##L%

$]$$ $.bb %b b b Mb $ b b %b bb.W . LZ LLX %.Z

$]$$ $.bb b b % b b b $%b$% %b bb .#4%.[ .: ##%.

$]$$,$.bb % b % bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb%.WL

$%. . # ,%%b8 b%, #% #% #,# $ , b1b %%#%#%%#% # .b@5 b LT ZOb $

$]$$$$.bb $b$$ $b $ b $$$b $%%b L MbIK Mb $,bb6##$ #2#$#T ####

$]$$%$.bbK $%b$II%b K b% ,b$$% bIL%$b %$$b L bb############3#T#

$]$$ $.bb,KL b b$$$$b$$$$b$$$$b$$$$b % b$$$$bb##_ ######## ###

$%. . $# , b8 b%, #% #% #,# , %$b1b %%#%#%%#% # .b7 bD>F b LW%, %% b¥PTb bU ZPUT bDS % , <9 >b[ , bL X $ TU ¥ Lb F b

LT ZOb$

$]$$$$.bb $$b$$ b I b $$$b $$ b M KbIK Mb $,bb6##0 2#$##F####

$]$$%$.bbK $%b$II%bIKL b% ,bMK Lb b$$$$b$$$$bb#########T######

$]$$ $.bb $$ bMMMM K b$$$$b$ $ b$ ,b$ $ b$,$ bb####FP##########

$]$$ $.bb$$ bM I b$$$$b$$$$b$%$ b$ $ bbbbbbbbbbbb# ##########

$%. . %#,% %b8 b%, #% #% #,# , %$b1b %%#%#%%#% # .b7 bD>F b LW%, %% b¥PTb bU ZPUT bDS % , <9 >b[ bL X $ TU ¥ Lb F b

LT ZOb$

$]$$$$.bb $$b$$ b I b $$$b $$ b M bIK Mb $,bb6##0 2#$##E####

$]$$%$.bbK $%b$II%bIKL b% ,bMK Lb b$$$$b$$$$bb#########T######

$]$$ $.bb $$ bMMMM K$ b$$$$b$ $ b$ ,b$ $ b$,$ bb####F###########

$]$$ $.bb$$ bM %Ib$$$$b$$$$b$%$ b$ $ bbbbbbbbbbbb# ##########

They send UDP packets, and then send TCP-SYN to the same destination port

Probably... BitTorrent!APNIC48 [email protected] 17

This might be a P2P as well-/7/07/4+./3204vEKv./2+43+3.+.65+20142v;v/.6+.-.+..2+/-/+4337vNAK)vd]f_k`v145

-n----7vv12--v-.^Yv3Z-¥v1---v03..v[¥Y0v4¥1[v0¥[3vvB+++c+=+3+++rH:+

-n--.-7vv¥Z32v40[Yv¥-]0v-/^]v-.]3v]1]Yv155¥vY¥05vv+]j+++++++++D++5

-n--/-7vv[/.Yv3.]/v[.50v[11]v^.3/v[..6v665¥v¥/34vv++Y++++J+Z+++++_

-n--0-7vv20]Yv¥2Z[v4456vZ[^6v]0Z2v.Y.1v34--v/566vvL+++m+++++++_+&+

-n--1-7vv0..0v2155v-][6v4/0]v15/]v[][6v66.Zv-^^2vv.+M+++i;D+++++++

-n--2-7vv--45v1¥3^v464/v]53[v2¥^.v5¥Z-v¥/-.v.5[/vv+nIgoi+dU+++++++

-n--3-7vv..05v5-]4v4.¥2v[1Y1v[-Z]v/Z0^vY0Z]vZ[]¥vv+5++h+++++(<++++

9t ;

-n-.5-7vv]6Z.v-165v.-/6v¥]43v¥2^4v4ZZ¥v.[..v-Y1/vv+++++'+l++q++++?

-n-.6-7vv-[Y3vZ]Z2v266[v2¥^Yv/¥Z-v5Y54v3]3^v2]24vv++++ +U+ +++fgVP

-n-.Y-7vvY-]-v3^/^v551¥vY12¥v[06]v662]v/]Y/vY-0Yvv++g,+I+U+++V+++7

-n-.Z-7vv[4¥¥v3]6^v^51Yv.Y/2v4Y/0v/Z]4v./-5vZ]Z.vv++f++F+# !(+++++

-n-.[-7vv34/¥v¥^]]v^5-0v[Y0ZvY.30v66[]v51Z5v54[Zvv_ +++++8+[++++++

-n-.¥-7vv62^1v3Y5¥vZ]-0v0.05v/32Zv.^04v3/2[v3415vv++b+++.5$S+4ZT_D

-n-.]-7vv-513v03^^v[44^v0Z]4v3.20v0331v-ZZ[v/^6^vv+C3+++8+YL3¥++,+

-n-.^-7vv0..6vYZ]]v.Z¥Zv/3Z^v03[0vvvvvvvvvvvvvvvvv.+++++$+3+

-/7/0714+245.55vEKv.4.+03+10+5+0-501v;v/.6+.-.+..2+/-/+4337vNAK)vd]f_k`v15/

-n----7vv12--v-.^]v3Z-^v1---v00..vZ250vYZ/1v/Z-5vvB+++c+=+0++++"(+

-n--.-7vv¥Z32v40[Yv454/v-/^]v-.]Yv//.Zv3]5]vZ/34vv+]j+ni++++ +f++_

-n--/-7vv]^]3v¥Z-¥v¥6/3v6[54v/5[6v31Y1v61]3v^.[^vv+++++$++&+¥+++++

-n--0-7vv]]3-v3623v5[¥2v3].4v.11Yv204]v5/Y4v.2[6vv+ a ++f++FLs++++

-n--1-7vv40¥5v3ZY3v[Z[]v¥0[6v0^1/vZ6Z1v01[4v^..[vvj+c+++++<?++1+++

-n--2-7vv6/03v3./4v3[4Yv344.v.¥]0vY/Y.v6Z^[vZ651vv+3Y%d _h++++++++

-n--3-7vv-^/2v0113v¥Z1¥v04-1v[610v45Y5vZ244v0^^[vv+#1C+I4++@n++m<+

9t ;

-n-.5-7vv]¥^4v35]Zv[¥Y6vZ-4/v[3[.vY//.v322]v0--4vv++`++++i+++ ]V-+

-n-.6-7vv6]¥0v[023v]/.Yv0Z.Zv^641v[61.v]¥2^v]Y2Yvv+++ ++8++k+>+W+

-n-.Y-7vv¥220v[1/0v^Z41v.1[/vZ2Z2v3/66v.06.v6^Z-vv+L+!+k++++Z+++++

-n-.Z-7vv]03/v-3[3v^Y1.v3-^1v01Y5v02Y-v53/-v^Y2[vv+Z+++> +1+2++++T

-n-.[-7vv^.Z]v^¥3[vZ/..vY¥]3v[2.-v4^24v/-6¥v-450vv+++d+++++++P++++

-n-.¥-7vv^^5Zv1646v1Z/5v3¥4^v[^//v.^23v[-65v0.Z.vv++Eo &e++ + ++.+

-n-.]-7vv¥3/]v6[-5v0]1Yv]¥5/v¥53[v¥5^4v-6¥]v^654vv++++;F+++d++++++

-n-.^-7vv]5[.v-.01v]5][v0/Z5v5¥[^v5¥1¥v35Z¥vvvvvvv+++1++/++++I`+

Many hosts sending a few

• There might be a wrong node information in the P2P network.• Based on that, many hosts are trying to connect the *nodes*• I guess users of the senders are not aware of this

• Why such a wrong node information?• Someone made mistake on his/her configuration?• Someone is attacking the P2P network by injecting wrong

nodes?

• The number of unique senders might be indicating the number of P2P users


Packets distribution: Receiver


Average 2758 packets/host

A few hosts arereceiving a lot

The

num

ber

of o

ccur

renc

es

The number of packets received by a host

A few hosts receiving the most of many packets from the many hostsProbably by a P2P application based on wrong nodes information


The

num

ber o

f occ

urre

nces

The number of packets received by a hostThe number of packets sent by a sender

Oh, yes. I see IP6 (41) packet0, 3 00) " , 0 ) , -.,0, 2

) 0

) 30 " . 2 - 4), ") 0 " " - 1 ,(

.,10 . ,) 0 0 , ) 0

3 "

3 "

3 "

3 " 2

3

The PTR record of the sender looks like a HTTP server -> www134.cs.uic.edu

Seems like it’s searching a router


This explains that


IP6 (41) 6to4 packet(,1'.1')&(-..)-]8 ] ' '$] ),($]KF]((0-)$] ]'$] CI ] 57 $] T ]8 X-] ( $]PI ]0)

(0)& &00&(]2](, &)''& )& 1]8 -] CD ' ).-- $] KO () $]P CF T] 4 ] - ]C[ CF] PI 1] ) ]) ' 1- ''1 '',1 '011)'' & ]2])'')10 E 1)')E110 E 1)')E&-,)- 1]

7 CI ] & $]E O ' )-E(] E TT E $] S ')(),-'.$]CE ]).,00,.,(,$] KP]).)''$] K P ]O ( -'$P $P $ CE :9$P $ EC ] $] PI ]'

' ''''1 ,'']'',E]) DC] '''] D)0]- .']E', ]- '( 6&&@&&3&& P &>E&

' ''('1 0 E ])')E]-'')].-- ]'')']'-.E]) ' ]- '' &&&$ &XP&&&¥ & &

' '')'1 '',]' '0]'''']'''']''''])'' ])'')]0 E 3&&&&&&&&&&&&&&&

' '' '1 )')E]'''']'''']'''']0 E ])')E]'(DD] &$&&&&&&&&&$&&&&

' '' '1 (. .] ).]C (]0E'D] '()]-C '])-E(]'''' &&& &&&&&& 3 &&&

' '','1 ')' ]',,']'('(]' ')]'(' ]' ' &&& &&&&&&&&


6to4 reflections

• Someone is using 6to4 with an IPv4 address from our prefix, and we got a reply

��

Using 6to4with wrong IPv4 address

configuration

6to4 relay


6to4 reflections

• Guesses• Configuration error and weird implementation made

6to4 enabled, and the host tried to access the Internet through it?• Someone using 6to4 space for IPv6 SYN-flooding?

• We also observe ’ICMP6 TTL expired’ packet related to 6to4


Sudden traffic

• 300Mbps toward a single destination on 6/11/2018

• Many sources from different countries and economies

• UDP, random source and destination port

• Don’t fragment, 1052 bytes


The sudden traffic

• Firstly I assumed a P2P, but it looks strange• I couldn’t feel the intent of ‘commutation’ from the

payloads• That’s just my feeling

• So I counted• The byte distribution of the payload


Byte distributions sometimes tell something

pdf docx

jpg m4apptx


The byte distribution is too flat

The UDP datagram


Analysis of the sudden traffic

• The payload is totally random• No intention for communication

• OK, I suppose this a DDoS attack• But to the destination that is not serving anything?• Just mistake?

• Lesson learned• Without any particular reason, sometimes you suddenly

become a target of DDoS


There was this kind of packet as well..- - , P45P , P0P , -P625 P D I P

-PP P , P P > P <P9 9<PP3 E 8

-PP<: P ;9P P< 9 P 9P P P PP > 11

-PP P P P P > P P P >P P P ; ;P PP;< 9 D ;

/ DA 0

-PP P P P P P P P : PPI .

-PP P P P P P :P P PP I>I . >I

-PP P P P , <PP I 9DED

-PP > P P P ,P < >P PPE 9DED E

-PP I >

-PP P P P : P P P P PPI . >I

-PP P P P P P P P PP I>I I>I

, -PP P P P P P P 9PPPPPPP >I

;I P 777 ; I I>I .

; EI .

PI>I .

I>I P PI>I P 777.

; EI .

I>I .

>I P IP P P9DED E P P9DED E P 5P P 777P>I P>I .

>I PI>I PI>I P>I

Summary

• We have background noise in the Internet (IPv4)• Malicious activities are observed• Yes, of course

• Security service providers are also scanning you• Some other non-intentional or aftereffect-ish

activities are also happening in the Internet• If you are unlucky, you might receive many packets

without any particular reason


background noise of the internet - apnic › 48 › assets › files › apic... · a few hosts...

Documents