Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Traffic increase for port UDP/8247 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Traffic increase for port UDP/8247

Published: 2009-01-21
Last Updated: 2009-01-21 15:18:12 UTC
by Raul Siles (Version: 3)
0 comment(s)

We got reports of a significant traffic increase associated to port UDP/8247 starting yesterday. Thanks to Ian and John for the early warning.The peak can be seen in our Dshield graphs too. It seems to be related with CNN's streaming service broadcasting the Obama events mentioned in yesterday's ISC diary. Based on multiple reports, CCN seems to be using Octoshape's P2P plug-in with Flash.

The traffic looks like P2P based on the number of endpoints, one or both end ports are UDP/8247, and the packet size seems to be constant (streaming traffic). In the samples we got it has a UDP payload of 1043 bytes.

the purpose of this diary is to let you know this activity is going on. Having said that, please, do not simply ignore this kind of traffic because of this diary. It would be easy for an attacker to hide his actions on this port if we simply ignore it.

--
Raul Siles
www.raulsiles.com

UPDATE: A couple of reference, here and here, about how Octoshape's Flash tool looks like from the end user perspective.

Keywords: player ports traffic
0 comment(s)
Diary Archives