Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: STUN traffic SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
STUN traffic
FWIW I dropped an email to Whiteops and referenced this discussion thread. Ken

2 Posts
The packets I captured as a response from 54.84.9.242 back to a host on port 3478 contained the following text [Coturn-4.4.2.3 'Ardee West'] which when i google search leads me to here ( https://github.com/sprhawk/coturn/blob/master/ChangeLog ) which leads me to here ( https://code.google.com/p/coturn/ ) which says "The TURN Server is a VoIP media traffic NAT traversal server and gateway. It can be used as a general-purpose network traffic TURN server and gateway, too." .. and I see in the code ( https://github.com/sprhawk/coturn/blob/01735d1ef6927a62bad2f0e89fb42f8e2cc3d97e/src/ns_turn_defs.h ) where it defines similar variables

#define TURN_SERVER_VERSION "4.4.4.1"
#define TURN_SERVER_VERSION_NAME "Ardee West"
#define TURN_SOFTWARE "Coturn-" TURN_SERVER_VERSION " '" TURN_SERVER_VERSION_NAME "'"
Anonymous

-
Hi all,

This traffic is part of our detection technology. If someone would like specific information please reach out to me or Dan via your corp email address and we can give you more info. Should be easy enough to find us...

Thanks,
Eddie Schwartz
White Ops
Eddie

1 Posts
Heh guys,

Dan Kaminsky here, my apologies for kicking up a ruckus. This is part of a bot detection framework I've built at White Ops; we basically are able to detect browser automation using resources exposed in JavaScript. Nothing dangerous to users -- or we'd go file bugs on it, which we do from time to time -- but it does provide useful data regarding post-exploitation behavior. Happy to jump on a call with anyone concerned or worried; I'm over at dan@whiteops.com.

--Dan
Dan Kaminsky

2 Posts
Thanks for the update, Dan.

If I have internal machines making these connections, do I need to look into bot activity on them?
Tim

6 Posts
You don't need to worry about your internal machines, but you should be aware that browsers (via WebRTC) can make legitimate STUN requests now. I actually expect this to become more common once the perf guys realize the incredibly fine grained control they're about to get on networking (much better than even Websockets).

If you mail dan@whiteops.com with your address range I'll let you know if we've seen any automation from your network, though. Again, apologies for the ruckus.

--Dan
Dan Kaminsky

2 Posts
Thanks everyone for pitching in with packets and logs. I have updated the original "call for packets", see isc.sans.edu/forums/diary/UDP3478+to+Amazon+54849242+got+packets+solved/19639/ Daniel

367 Posts
ISC Handler
this is how my snort has been flagging this traffic
its been driving me crazy for two weeks.
thanks dan kaminsky

[1:2016149:2] ET INFO Session Traversal Utilities for NAT (STUN Binding Request) [Classification: Attempted User Privilege Gain] [Priority: 1]: {UDP} 192.168.1.160:49901 -> 54.84.9.242:3478
Anonymous

-
this is how my snort has been flagging this traffic
its been driving me crazy for two weeks.
thanks dan kaminsky

[1:2016149:2] ET INFO Session Traversal Utilities for NAT (STUN Binding Request) [Classification: Attempted User Privilege Gain] [Priority: 1]: {UDP} 192.168.1.160:49901 -> 54.84.9.242:3478
Anonymous

-
I would also like to get to the bottom of this traffic. I've been seeing it for about a month now.

STUN requests are being made to 54.84.9.242 which is registered with Amazon but resolves to "tworismo.com".

Some of the request responses seem to be blocked by our corporate firewall but we are receiving responses on some subnets.

I've traced this IP on our IDS and I've connected to some machines that I've seen it come from and I always see the 54.x.x.x addresses associated with Firefox.exe but I've never seen the 54.84.9.242 address as active in netstat.

I tried grabbing the Firefox history SQLlite db off one of the users I saw making this STUN request but I was unable to net anything from that.

I have a feeling this is somehow tied to Firefox, perhaps a plugin that several of our users use but I haven't narrowed it down yet.
cl1ft

1 Posts

Sign Up for Free or Log In to start participating in the conversation!