Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Unusual CRL traffic? - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Unusual CRL traffic?

One of our readers, Brian, wrote in this morning saying that he was seeing an unusually high volume of traffic attempting to check certificate revocation lists (CRLs) from lots of different IPs (so it doesn't look like a denial of service attack, there are lots of both sources and destinations).  I haven't heard of anything that going on that would cause this behavior, but thought I'd ask our readers if they were seeing anything similar.  Could a patch have caused it?  Microsoft did patch IE 10 days ago, but that would be quite a lag time.  If anyone else is seeing this and could grab a sample of the traffic (so we could look at User-Agents, etc.) please respond below or through our contact page.  Thanx in advance for your assistance.

Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS DFIR Summit & Training 2022


423 Posts
ISC Handler
Aug 25th 2014
Were the CRL's being searched unusual as well? And is there any way to quantify "a lot"?
No, the CRLs looked to be normal (in the snippet that was shared with us), but the volume was several orders of magnitude greater than what the reader was used to seeing.

423 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!