Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Oversharing - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Oversharing

When ISC reader Michael contacted us about "odd UDP traffic from all over" that he was suddenly seeing in his firewall log, we at first assumed that his Internet connection had "inherited" a dynamic IP address that had before been used by a rampant file sharing user, and that Michael was now seeing the "after glow".

Deny udp src outside:187.13.XX.XX/22350 dst inside:64.9.XX.XX/8832
Deny udp src outside:46.249.XX.XX/27376 dst inside:64.9.XX.XX/8832
Deny udp src outside:188.134.XX.XX/49611 dst inside:64.9.XX.XX/8832
Deny udp src outside:125.168.XX.XX/13757 dst inside:64.9.XX.XX/8832
Deny udp src outside:80.99.XX.XX/16008 dst inside:64.9.XX.XX/8832
Deny udp src outside:212.96.XX.XX/48884 dst inside:64.9.XX.XX/8832
Deny udp src outside:178.70.XX.XX/48699 dst inside:64.9.XX.XX/8832
Deny udp src outside:154.45.XX.XX/1078 dst inside:64.9.XX.XX/8832

We still asked for a PCAP (tcpdump) file though, and when we looked at what Michael sent back, we saw to our surprise ...

... that Michael's network was responding to the traffic. Hm. Oops!

Closer inquiry then revealed that they had recently updated the firmware on their QNAP TS-659 NAS (network storage) server .. and this new version came with the ability to act as a media and streaming server. It isn't quite clear if the corresponding functionality had been "on" by default, or had been turned on by accident. But once turned off, the "odd UDP traffic" stopped right away.

Lesson learned - after an upgrade, check if things are still how you expect them to be. While most vendors have thankfully learned to keep new "features" turned off by default, you can't quite rely on it. For home use, investing in a small network tap or hub, and every now and then checking the traffic leaving your house is (a) a good security precaution and (b) helps to keep your Wireshark Packet-Fu skills current :)

And while we are on the topic of NAS and storage servers: A CERT vulnerability note released today states that some versions of Synology DiskStation contain a hard-coded password which can be used by remote attackers to establish a VPN into the DiskStation. Oh lovely!  Details here: http://www.kb.cert.org/vuls/id/534284

 

Daniel

367 Posts
ISC Handler
Good topic.

Here's a stupidly pedestrian example. Ever noticed that Bluetooth turns itself back on after every iPhone iOS update? Maybe that's not an enterprise-wide mission-critical issue, but I just don't understand why an update would change ANY user settings unless actual functionality was deprecated or changed.

G
Gavin

4 Posts
A consistent UDP source port and wildly erratic ephemeral destination ports makes me think P2P Zeus... something to keep in mind should the user start observing the traffic again.
Brian

1 Posts
From the fw logs and pcap data, it doesn't appear that Michael's network is responding to traffic. It appears that it is initiating it, and then the replies are stopped at the firewall. So why would his storage server be initiating UDP conversations to numerous Internet hosts on numerous ephemeral ports while maintaining a fixed source port? As the previous poster said, malware, perhaps? Or maybe there is something P2P-based on the new version of the NAS? I have seen other P2P apps, such as Skype, exhibit similar behavior as they try to reach out to other nodes on the Internet.
Brian
2 Posts

Sign Up for Free or Log In to start participating in the conversation!