For this assignment, we…
- setup a server with a public IP address
- closed most of the ports with UFW
- waiting for the UFW logs to fill up
I left my server up for about a month and logged about 88k requests.
There is a noticeable spike on Oct 24 and 25.
The additional traffic came in from two different countries, China and France.
While the two country’s traffic spikes came about the same time, they were very different in quality. I cannot explain the relationship between the two traffic spikes.
Also, I am not sure why there was a dip in the total volume of connection attempts from other countries. I didn’t see anything in the documentation for my Digital Ocean Droplet regarding limiting network volume.
The additional traffic spike from China looked like what I expect a coordinated zombie-net to look like.
It came from many different IP addresses, focused on just a few ports. Most of the connections were from a unique source.
Ports 54368 are 62792 are used by Apple Xsan, but a quick search on the internet didn’t mention any known vulnerabilities.
Port 46634 seems unassigned and not used by any common pieces of software, so I don’t know why that port was targeted.
The French traffic looked very different from the Chinese traffic.
It came from a single source and seemed to be trying every single port within two plausible ranges.
It also seemed to be selecting source ports at random through which to connect.
Someone else seems to have noticed this machine as well:
Someone from France is interested in Guardian AST.— Ryan Miller (@someinfosecguy) October 15, 2019
I believe Guardian AST refers to the system that manages gas station pumps.