Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: STUN traffic SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
STUN traffic
I'm seeing firewall log entries for several users attempting to go to UDP port 3478 (STUN) at address 54.84.9.242. It looks like an unregistered address in APNIC. I haven't been able to isolate what is generating the traffic. Anyone else seeing something similar? Tom

2 Posts
My lookup of that IP address puts it in Amazon cloud space (ASN 14618), not APNIC. Jim

415 Posts
ISC Handler
Thank you. You are correct, I fat-fingered the whois. Tom

2 Posts
I am seeing lots of stun traffic to 54.84.9.242. Does anyone know what it is? Sycckd

2 Posts
Haven't found anything malicious associated with this Amazon IP address (yet).

virustotal.com/en/ip-address/54.84.9.242/information/
Brad

365 Posts
ISC Handler
I couldn't find anything malicious either but its been going on for months and there seem to be more and more hosts trying to get out. Sycckd

2 Posts
I have also seen an increasing amount of traffic to this IP from hosts on our network. I have combed through the IDS data and am unable to find any clues so far as to what's causing it all of the sudden. Anonymous

-
I too have been monitoring this activity for a couple months as it seems to be increasing in volume. Last night I zeroed-in on a particular PC that generated STUN binding requests to 54.83.197.23 every few minutes all night long. These UDP packets were being blocked on egress, maybe the reason for the continually repeated requests. Found that the PC left a chrome browser running all night with a certain page loaded (don't yet know what).The main internet traffic being generated from that PC during the timeframe was to google - "safebrowsing", "tools", "client2", "client4", and possibly google-analytics (one set of logs lists google-analytics as a dest, another doesn't). Ken

2 Posts
https://github.com/diafygi/webrtc-ips

Maybe relevant. Or irrelevant, if this is common knowledge.
Anonymous

-
looking at my snort log, I see a DNS query for ph.tworismo.com that resolved to that IP. Alex

2 Posts
I'm seeing some traffic for this IP correspond with DNS lookups by affected clients for messaging.office.com right before I see the traffic.

Though, I am not able to get that to resolve to 54.84.9.242. And, not all clients resolving messaging.office.com hit that ip:

Netflow data:

2015-04-29 08:26:58.557 0.000 UDP 192.168.0.146:58218 -> 54.84.9.242:3478 0 28 1


named query log:

Apr 29 08:26:58.416 queries: info: client 192.168.0.146#60615: query: messaging.office.com IN A


However, for the three relatively quiet machines that hit 54.84.9.242:3478, I did see the same pattern. For other machines that made tens of DNS requests before the STUN action, I did not see a messaging.office.com lookup.

It may be coincidental.
Tim

6 Posts
I think this might relate to ninjapd.com.

The STUN traffic we've seen to and from this address has followed a DNS query for ph.ninjapd.com. We've seen HTTP traffic to ninjapd.com with a referrer of http://www.el-nacional.com/.

Dunno if ninjapd is one of those silly STUN-based CDNs? Maybe el-nacional uses it?
Alec

2 Posts
Following the virustotal information on the doamins using the IP address, most look like they are tied to White Ops, Dan Kaminsky. Maybe someone should reach out and ask the company? Dean

135 Posts
Bro logs show this:
2015-04-28T05:54:59+0000 CfVsQw3rflYsiWQAM8 192.168.0.29 50145 54.84.9.242 3478 udp - 10.167921 120 600 SF F 0 Dd 6 288 6 768 (empty)
2015-04-28T05:56:57+0000 Cup1oA2osUBmkMvqpd 192.168.0.29 62884 54.84.9.242 3478 udp - 10.454747 200 1000 SF F 0 Dd 10 480 10 1280 (empty)
2015-04-28T05:57:55+0000 CR8Jt231gHyuGtWqKf 192.168.0.29 52946 54.84.9.242 3478 udp - 10.163208 80 400 SF F 0 Dd 4 192 4 512 (empty)
2015-04-28T05:54:58+0000 CWGR471miSRB5VJ0V3 192.168.0.29 49161 216.136.95.2 53 udp 17834 ph.adnxtr.com 1 C_INTERNET 1 A 0 NOERROR F F T T 0 54.84.9.242 30.000000 F
2015-04-28T05:54:58+0000 CWGR471miSRB5VJ0V3 192.168.0.29 49161 216.136.95.2 53 udp 17834 ph.adnxtr.com 1 C_INTERNET 1 A 0 NOERROR F F T T 0 54.84.9.242 30.000000 F
2015-04-28T05:56:57+0000 CY1D0h2uCP0Zb5bqMi 192.168.0.29 63197 216.136.95.2 53 udp 13491 ph.adnxtr.com 1 C_INTERNET 1 A 0 NOERROR F F T T 0 54.84.9.242 30.000000 F
2015-04-28T05:56:57+0000 CY1D0h2uCP0Zb5bqMi 192.168.0.29 63197 216.136.95.2 53 udp 13491 ph.adnxtr.com 1 C_INTERNET 1 A 0 NOERROR F F T T 0 54.84.9.242 30.000000 F
James

35 Posts
James has ph.adnxtr.com, I've got ph.ninjapd.com. Both say "ph" :) Alec

2 Posts
What I've seen related to Port 2378 and 54.84.9.242:

Apr 25 18:58:05 DROPPED SRC=142.4.217.67 DST=x.x.x.x LEN=57 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=53084 DPT=3478 LEN=37
Apr 26 15:22:27 DROPPED SRC=142.4.217.67 DST=x.x.x.x LEN=57 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=38022 DPT=3478 LEN=37
Apr 28 01:30:25 DROPPED SRC=142.4.217.67 DST=x.x.x.x LEN=57 TOS=0x00 PREC=0x00 TTL=51 ID=23684 DF PROTO=UDP SPT=47792 DPT=3478 LEN=37
Apr 28 22:03:04 DROPPED SRC=198.23.132.226 DST=x.x.x.x LEN=57 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=44319 DPT=3478 LEN=37

2015-04-28 11:00:30.006468 IP 10.2.245.74.56241 > 10.2.244.39.53: 14188+ A? ph.adnxtr.com. (31)
2015-04-28 11:00:30.069540 IP 10.2.244.39.53 > 10.2.245.74.56241: 14188 1/4/4 A 54.84.9.242 (248)
2015-04-28 23:26:08.556839 IP 10.2.244.39.46151 > 205.251.198.149.53: 28978% [1au] A? ph.ninjapd.com. (43)
2015-04-28 23:26:08.614990 IP 10.2.244.39.53 > 10.2.245.172.57750: 41772 1/4/4 A 54.84.9.242 (249)
2015-04-28 23:33:20.849228 IP 10.2.244.39.17688 > 205.251.197.174.53: 21453% [1au] A? ph.ninjapd.com. (43)
2015-04-28 23:33:20.905461 IP 205.251.197.174.53 > 10.2.244.39.17688: 21453*- 1/4/1 A 54.84.9.242 (196)
2015-04-28 23:50:59.964778 IP 10.2.244.39.16066 > 205.251.197.174.53: 36648% [1au] A? ph.ninjapd.com. (43)
2015-04-28 23:51:00.022528 IP 205.251.197.174.53 > 10.2.244.39.16066: 36648*- 1/4/1 A 54.84.9.242 (196)
2015-04-29 01:17:10.575201 IP 10.2.244.39.36048 > 205.251.193.117.53: 29998% [1au] A? ph.ninjapd.com. (43)
2015-04-29 01:17:10.617812 IP 205.251.193.117.53 > 10.2.244.39.36048: 29998*- 1/4/1 A 54.84.9.242 (196)
2015-04-29 01:21:21.265737 IP 10.2.244.39.41644 > 205.251.193.117.53: 18355% [1au] A? ph.ninjapd.com. (43)
2015-04-29 01:21:21.309069 IP 205.251.193.117.53 > 10.2.244.39.41644: 18355*- 1/4/1 A 54.84.9.242 (196)
2015-04-29 01:36:00.896863 IP 205.251.193.117.53 > 10.2.244.39.12538: 54106*- 1/4/1 A 54.84.9.242 (196)
2015-04-29 01:36:00.898175 IP 10.2.244.39.53 > 10.2.245.172.52591: 41333 1/4/4 A 54.84.9.242 (249)
2015-04-29 01:57:39.175297 IP 10.2.244.39.22132 > 205.251.197.174.53: 20955% [1au] A? ph.ninjapd.com. (43)
2015-04-29 01:57:39.233333 IP 205.251.197.174.53 > 10.2.244.39.22132: 20955*- 1/4/1 A 54.84.9.242 (196)
2015-04-29 03:26:05.632754 IP 10.2.244.39.21066 > 205.251.194.48.53: 8508% [1au] A? ph.ninjapd.com. (43)
2015-04-29 03:26:05.708425 IP 205.251.194.48.53 > 10.2.244.39.21066: 8508*- 1/4/1 A 54.84.9.242 (196)
2015-04-29 04:26:43.319681 IP 10.2.244.39.1061 > 205.251.198.149.53: 9447% [1au] A? ph.ninjapd.com. (43)
2015-04-29 04:26:43.377539 IP 205.251.198.149.53 > 10.2.244.39.1061: 9447*- 1/4/1 A 54.84.9.242 (196)

--
Travis
Travis

5 Posts
We have been seeing the same thing over the last week, ever increasing requests for 3478 (STUN) to 54.84.9.242. We are also seeing DNS requests for the same ph.tworismo.com domain. We have packet captures which include a software designation of "Coturn-4.4.2.3 'Ardee West' which indicates they are using this software: http://coturn.googlecode.com/svn/trunk/ChangeLog

You can see the pcap details at http://imgur.com/a/tYnee

Also, donning my tinfoil, does ph = "Phone Home?"
TobySimmons

7 Posts
With the information others have supplied here, I can confirm that I am seeing ph.adnxtr.com DNS requests on all machines exhibiting this traffic.

The messaging.office.com was a fluke in that for three users, the dns resolution occurred very, very close to the observed traffic. But it was not happening on all machines.

All machines here are showing the ph.adnxtr.com.

We are also seeing packets with the same coturn string in them.
Tim

6 Posts
We have seen these DNS results for the IP:
First seen Feb 10

ph.tworismo.com
ph.adnxtr.com
ph.ninjapd.com
ph.dessaly.com
IcePick

1 Posts
Add:

ph.pkthop.com
ph.tagsrvcs.com
ph.adsrvs.com
Tim

6 Posts
I see an HTTP connection to self-repair.mozilla.org just before the STUN UDP attempts.


self-repair.mozilla.org

54.192.207.82
54.192.204.196
54.192.206.192
54.230.207.227
54.230.205.75
54.192.205.77
54.192.207.164
54.230.205.208
Anonymous

-

Sign Up for Free or Log In to start participating in the conversation!