STUN traffic - SANS Internet Storm Center

STUN traffic
I'm seeing firewall log entries for several users attempting to go to UDP port 3478 (STUN) at address 54.84.9.242. It looks like an unregistered address in APNIC. I haven't been able to isolate what is generating the traffic. Anyone else seeing something similar?	Tom 2 Posts
thread locked Quote Subscribe	Apr 15th 2015 7 years ago
My lookup of that IP address puts it in Amazon cloud space (ASN 14618), not APNIC.	Jim 423 Posts ISC Handler
Thread locked. Quote	Apr 15th 2015 7 years ago
Thank you. You are correct, I fat-fingered the whois.	Tom 2 Posts
Thread locked. Quote	Apr 15th 2015 7 years ago
I am seeing lots of stun traffic to 54.84.9.242. Does anyone know what it is?	Sycckd 2 Posts
Thread locked. Quote	Apr 28th 2015 7 years ago
Haven't found anything malicious associated with this Amazon IP address (yet). virustotal.com/en/ip-address/54.84.9.242/information/	Brad 436 Posts ISC Handler
Thread locked. Quote	Apr 28th 2015 7 years ago
I couldn't find anything malicious either but its been going on for months and there seem to be more and more hosts trying to get out.	Sycckd 2 Posts
Thread locked. Quote	Apr 28th 2015 7 years ago
I have also seen an increasing amount of traffic to this IP from hosts on our network. I have combed through the IDS data and am unable to find any clues so far as to what's causing it all of the sudden.	Anonymous -
Thread locked. Quote	Apr 29th 2015 7 years ago
I too have been monitoring this activity for a couple months as it seems to be increasing in volume. Last night I zeroed-in on a particular PC that generated STUN binding requests to 54.83.197.23 every few minutes all night long. These UDP packets were being blocked on egress, maybe the reason for the continually repeated requests. Found that the PC left a chrome browser running all night with a certain page loaded (don't yet know what).The main internet traffic being generated from that PC during the timeframe was to google - "safebrowsing", "tools", "client2", "client4", and possibly google-analytics (one set of logs lists google-analytics as a dest, another doesn't).	Ken 2 Posts
Thread locked. Quote	Apr 29th 2015 7 years ago
https://github.com/diafygi/webrtc-ips Maybe relevant. Or irrelevant, if this is common knowledge.	Anonymous -
Thread locked. Quote	Apr 29th 2015 7 years ago
looking at my snort log, I see a DNS query for ph.tworismo.com that resolved to that IP.	Alex 2 Posts
Thread locked. Quote	Apr 29th 2015 7 years ago
I'm seeing some traffic for this IP correspond with DNS lookups by affected clients for messaging.office.com right before I see the traffic. Though, I am not able to get that to resolve to 54.84.9.242. And, not all clients resolving messaging.office.com hit that ip: Netflow data: 2015-04-29 08:26:58.557 0.000 UDP 192.168.0.146:58218 -> 54.84.9.242:3478 0 28 1 named query log: Apr 29 08:26:58.416 queries: info: client 192.168.0.146#60615: query: messaging.office.com IN A However, for the three relatively quiet machines that hit 54.84.9.242:3478, I did see the same pattern. For other machines that made tens of DNS requests before the STUN action, I did not see a messaging.office.com lookup. It may be coincidental.	Tim 6 Posts
Thread locked. Quote	Apr 29th 2015 7 years ago
I think this might relate to ninjapd.com. The STUN traffic we've seen to and from this address has followed a DNS query for ph.ninjapd.com. We've seen HTTP traffic to ninjapd.com with a referrer of http://www.el-nacional.com/. Dunno if ninjapd is one of those silly STUN-based CDNs? Maybe el-nacional uses it?	Alec 2 Posts
Thread locked. Quote	Apr 29th 2015 7 years ago
Following the virustotal information on the doamins using the IP address, most look like they are tied to White Ops, Dan Kaminsky. Maybe someone should reach out and ask the company?	Dean 135 Posts
Thread locked. Quote	Apr 29th 2015 7 years ago
Bro logs show this: 2015-04-28T05:54:59+0000 CfVsQw3rflYsiWQAM8 192.168.0.29 50145 54.84.9.242 3478 udp - 10.167921 120 600 SF F 0 Dd 6 288 6 768 (empty) 2015-04-28T05:56:57+0000 Cup1oA2osUBmkMvqpd 192.168.0.29 62884 54.84.9.242 3478 udp - 10.454747 200 1000 SF F 0 Dd 10 480 10 1280 (empty) 2015-04-28T05:57:55+0000 CR8Jt231gHyuGtWqKf 192.168.0.29 52946 54.84.9.242 3478 udp - 10.163208 80 400 SF F 0 Dd 4 192 4 512 (empty) 2015-04-28T05:54:58+0000 CWGR471miSRB5VJ0V3 192.168.0.29 49161 216.136.95.2 53 udp 17834 ph.adnxtr.com 1 C_INTERNET 1 A 0 NOERROR F F T T 0 54.84.9.242 30.000000 F 2015-04-28T05:54:58+0000 CWGR471miSRB5VJ0V3 192.168.0.29 49161 216.136.95.2 53 udp 17834 ph.adnxtr.com 1 C_INTERNET 1 A 0 NOERROR F F T T 0 54.84.9.242 30.000000 F 2015-04-28T05:56:57+0000 CY1D0h2uCP0Zb5bqMi 192.168.0.29 63197 216.136.95.2 53 udp 13491 ph.adnxtr.com 1 C_INTERNET 1 A 0 NOERROR F F T T 0 54.84.9.242 30.000000 F 2015-04-28T05:56:57+0000 CY1D0h2uCP0Zb5bqMi 192.168.0.29 63197 216.136.95.2 53 udp 13491 ph.adnxtr.com 1 C_INTERNET 1 A 0 NOERROR F F T T 0 54.84.9.242 30.000000 F	James 35 Posts
Thread locked. Quote	Apr 29th 2015 7 years ago
James has ph.adnxtr.com, I've got ph.ninjapd.com. Both say "ph" :)	Alec 2 Posts
Thread locked. Quote	Apr 29th 2015 7 years ago
What I've seen related to Port 2378 and 54.84.9.242: Apr 25 18:58:05 DROPPED SRC=142.4.217.67 DST=x.x.x.x LEN=57 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=53084 DPT=3478 LEN=37 Apr 26 15:22:27 DROPPED SRC=142.4.217.67 DST=x.x.x.x LEN=57 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=38022 DPT=3478 LEN=37 Apr 28 01:30:25 DROPPED SRC=142.4.217.67 DST=x.x.x.x LEN=57 TOS=0x00 PREC=0x00 TTL=51 ID=23684 DF PROTO=UDP SPT=47792 DPT=3478 LEN=37 Apr 28 22:03:04 DROPPED SRC=198.23.132.226 DST=x.x.x.x LEN=57 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=44319 DPT=3478 LEN=37 2015-04-28 11:00:30.006468 IP 10.2.245.74.56241 > 10.2.244.39.53: 14188+ A? ph.adnxtr.com. (31) 2015-04-28 11:00:30.069540 IP 10.2.244.39.53 > 10.2.245.74.56241: 14188 1/4/4 A 54.84.9.242 (248) 2015-04-28 23:26:08.556839 IP 10.2.244.39.46151 > 205.251.198.149.53: 28978% [1au] A? ph.ninjapd.com. (43) 2015-04-28 23:26:08.614990 IP 10.2.244.39.53 > 10.2.245.172.57750: 41772 1/4/4 A 54.84.9.242 (249) 2015-04-28 23:33:20.849228 IP 10.2.244.39.17688 > 205.251.197.174.53: 21453% [1au] A? ph.ninjapd.com. (43) 2015-04-28 23:33:20.905461 IP 205.251.197.174.53 > 10.2.244.39.17688: 21453- 1/4/1 A 54.84.9.242 (196) 2015-04-28 23:50:59.964778 IP 10.2.244.39.16066 > 205.251.197.174.53: 36648% [1au] A? ph.ninjapd.com. (43) 2015-04-28 23:51:00.022528 IP 205.251.197.174.53 > 10.2.244.39.16066: 36648- 1/4/1 A 54.84.9.242 (196) 2015-04-29 01:17:10.575201 IP 10.2.244.39.36048 > 205.251.193.117.53: 29998% [1au] A? ph.ninjapd.com. (43) 2015-04-29 01:17:10.617812 IP 205.251.193.117.53 > 10.2.244.39.36048: 29998- 1/4/1 A 54.84.9.242 (196) 2015-04-29 01:21:21.265737 IP 10.2.244.39.41644 > 205.251.193.117.53: 18355% [1au] A? ph.ninjapd.com. (43) 2015-04-29 01:21:21.309069 IP 205.251.193.117.53 > 10.2.244.39.41644: 18355- 1/4/1 A 54.84.9.242 (196) 2015-04-29 01:36:00.896863 IP 205.251.193.117.53 > 10.2.244.39.12538: 54106- 1/4/1 A 54.84.9.242 (196) 2015-04-29 01:36:00.898175 IP 10.2.244.39.53 > 10.2.245.172.52591: 41333 1/4/4 A 54.84.9.242 (249) 2015-04-29 01:57:39.175297 IP 10.2.244.39.22132 > 205.251.197.174.53: 20955% [1au] A? ph.ninjapd.com. (43) 2015-04-29 01:57:39.233333 IP 205.251.197.174.53 > 10.2.244.39.22132: 20955- 1/4/1 A 54.84.9.242 (196) 2015-04-29 03:26:05.632754 IP 10.2.244.39.21066 > 205.251.194.48.53: 8508% [1au] A? ph.ninjapd.com. (43) 2015-04-29 03:26:05.708425 IP 205.251.194.48.53 > 10.2.244.39.21066: 8508- 1/4/1 A 54.84.9.242 (196) 2015-04-29 04:26:43.319681 IP 10.2.244.39.1061 > 205.251.198.149.53: 9447% [1au] A? ph.ninjapd.com. (43) 2015-04-29 04:26:43.377539 IP 205.251.198.149.53 > 10.2.244.39.1061: 9447- 1/4/1 A 54.84.9.242 (196) -- Travis	Travis 5 Posts
Thread locked. Quote	Apr 29th 2015 7 years ago
We have been seeing the same thing over the last week, ever increasing requests for 3478 (STUN) to 54.84.9.242. We are also seeing DNS requests for the same ph.tworismo.com domain. We have packet captures which include a software designation of "Coturn-4.4.2.3 'Ardee West' which indicates they are using this software: http://coturn.googlecode.com/svn/trunk/ChangeLog You can see the pcap details at http://imgur.com/a/tYnee Also, donning my tinfoil, does ph = "Phone Home?"	TobySimmons 7 Posts
Thread locked. Quote	Apr 29th 2015 7 years ago
With the information others have supplied here, I can confirm that I am seeing ph.adnxtr.com DNS requests on all machines exhibiting this traffic. The messaging.office.com was a fluke in that for three users, the dns resolution occurred very, very close to the observed traffic. But it was not happening on all machines. All machines here are showing the ph.adnxtr.com. We are also seeing packets with the same coturn string in them.	Tim 6 Posts
Thread locked. Quote	Apr 29th 2015 7 years ago
We have seen these DNS results for the IP: First seen Feb 10 ph.tworismo.com ph.adnxtr.com ph.ninjapd.com ph.dessaly.com	IcePick 1 Posts
Thread locked. Quote	Apr 29th 2015 7 years ago
Add: ph.pkthop.com ph.tagsrvcs.com ph.adsrvs.com	Tim 6 Posts
Thread locked. Quote	Apr 29th 2015 7 years ago
I see an HTTP connection to self-repair.mozilla.org just before the STUN UDP attempts. self-repair.mozilla.org 54.192.207.82 54.192.204.196 54.192.206.192 54.230.207.227 54.230.205.75 54.192.205.77 54.192.207.164 54.230.205.208	Anonymous -
Thread locked. Quote	Apr 29th 2015 7 years ago