**** BEGIN LOGGING AT Wed Nov 27 03:00:00 2013 Nov 27 19:44:43 2013-11-27 09:45:41.137 360.157 any 140.211.169.163 435792(45.7) 31.2 M(49.9) 43.0 G(49.5) 86577 955.0 M 1378 Nov 27 19:45:41 O_o Nov 27 19:45:48 anyone know why barbican2 would be sending that much traffic to a single host in ukraine? Nov 27 19:46:14 barbican2? Nov 27 19:46:25 140.211.169.163 Nov 27 19:46:33 also, have you gotten a pcap? Nov 27 19:46:50 i don't have a pcap, but our network admins likely do Nov 27 19:47:29 would be curious to see what sort of traffic it is. also, what's barbican2? Nov 27 19:47:39 no clue Nov 27 19:48:08 [14:45:48] anyone know why barbican2 would be sending that much traffic to a single host in ukraine? Nov 27 19:48:10 then why'd you ask? :P Nov 27 19:48:53 its a webos-internals host Nov 27 19:49:30 or somethig, im not sure i understand the reverse pointer Nov 27 19:49:49 what is 140.211.169.163? Nov 27 19:50:12 $ host 140.211.169.163 Nov 27 19:50:13 163.169.211.140.in-addr.arpa is an alias for 163.130-190.169.211.140.in-addr.arpa. Nov 27 19:50:15 163.130-190.169.211.140.in-addr.arpa domain name pointer barbican2.webos-internals.org. Nov 27 19:52:16 gotcha. Nov 27 19:52:25 sorry, switching modes in my head. been doing work stuff. Nov 27 19:52:50 ka6sox: scoutcamper ping Nov 27 19:52:56 what does barbican2 do? Nov 27 19:53:19 it doesn't resolve. that's what it does. Nov 27 19:53:20 whats up? Nov 27 19:54:10 one of your hosts has been pointed at as a root cause of a network outage for Oregon universities =( Nov 27 19:54:32 wwhat? Nov 27 19:54:47 * ka6sox turns it off. Nov 27 19:54:56 Nmap scan report for barbican2.webos-internals.org (140.211.169.163) Nov 27 19:54:56 Host is up (0.11s latency). Nov 27 19:54:56 Not shown: 992 closed ports Nov 27 19:54:56 PORT STATE SERVICE Nov 27 19:54:56 22/tcp open ssh Nov 27 19:54:57 25/tcp filtered smtp Nov 27 19:54:57 80/tcp open http Nov 27 19:54:58 135/tcp filtered msrpc Nov 27 19:54:58 139/tcp filtered netbios-ssn Nov 27 19:54:59 445/tcp filtered microsoft-ds Nov 27 19:54:59 4000/tcp open remoteanything Nov 27 19:55:00 9418/tcp open git Nov 27 19:55:00 Nmap done: 1 IP address (1 host up) scanned in 38.41 seconds Nov 27 19:55:12 remoteanything? wat? Nov 27 19:55:25 don't know that one Nov 27 19:55:33 let me figure this out.. Nov 27 19:55:49 it responds on port 4000 Nov 27 19:56:01 $ telnet 140.211.169.163 4000 Nov 27 19:56:01 Trying 140.211.169.163... Nov 27 19:56:01 Connected to barbican2.webos-internals.org. Nov 27 19:56:01 Escape character is '^]'. Nov 27 19:56:01 hello Nov 27 19:56:02 HTTP/1.1 500 Internal Server Error Nov 27 19:56:02 Content-Length: 0 Nov 27 19:56:03 Connection: keep-alive Nov 27 19:56:03 Server: thin 1.2.7 codename No Hup Nov 27 19:56:15 thin. hum. Nov 27 19:56:47 appears to be a ruby-based web server Nov 27 19:56:47 http://code.macournoyer.com/thin/ Nov 27 19:57:20 looks like it's serving the wiki Nov 27 19:57:54 http://140.211.169.163:4000/ Nov 27 19:58:01 or, a wiki. Nov 27 19:58:25 http://140.211.169.163:4000/wiki?search=test Nov 27 19:58:27 interesting. Nov 27 19:58:33 whatever it is…it's broken Nov 27 20:01:47 Date first seen Duration Proto Src IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp Nov 27 20:01:50 2013-11-27 09:33:40.412 1491.294 any 140.211.166.57 518652(15.6) 31.4 M(13.6) 43.9 G(19.3) 21025 235.4 M 1399 Nov 27 20:02:42 pwnguin, what is it doing? Nov 27 20:02:42 that's a lot of packets…but what ARE they? Nov 27 20:02:57 also, out of curiosity, what are you using for flow reporting? Nov 27 20:02:57 ka6sox: if i knew what it was doing, i wouldnt have to ping you about it =) Nov 27 20:03:05 okay...its down Nov 27 20:03:17 did we get a pcap before ka6sox took it down? Nov 27 20:03:22 * HaDAk does this shit all day long Nov 27 20:03:38 * HaDAk works at Arbor Networks doing DDoS mitigation Nov 27 20:05:41 HaDAk: i'm using email with the ISP who manages this stuff =) Nov 27 20:05:47 >_> Nov 27 20:05:52 which isp? Nov 27 20:05:54 NERO Nov 27 20:05:59 * HaDAk checks his system Nov 27 20:06:11 nothing there. Nov 27 20:06:18 probably not a customer :P Nov 27 20:06:26 otherwise, this wouldn't be an issue at all, haha Nov 27 20:06:29 do you serve oregon? Nov 27 20:06:39 we are global Nov 27 20:06:41 cuz this is a regional network for oregon universities Nov 27 20:06:57 we touch, at any given point, 70-90% of global internet traffic Nov 27 20:07:13 anyway. get a pcap. we'll look at it. **** ENDING LOGGING AT Thu Nov 28 02:59:58 2013