Friday, June 30, 2017

May be infected with Wannacry or similar: Port 445

Hosts hitting my network on port 445 in the past few minutes - may be infected by WannaCry or?

China and Vietnam

31.29.215.8

  • inetnum: 31.29.212.0 - 31.29.215.255
  • netname: CMST-ORENBURG-20130115
  • descr: Orenburg TsuS of Privolzhsky branch of CJS Komstar-Regiony
  • country: RU
  • admin-c: OMZ4-RIPE
  • tech-c: OMZ4-RIPE
  • status: ASSIGNED PA
  • mnt-by: OVERTA-MNT
  • created: 2013-01-15T06:28:42Z
  • last-modified: 2017-06-01T12:12:14Z
  • source: RIPE
  • person: Oleg M Zavalishin
  • address: 14, Karavannaya st., Orenburg
  • phone: +73532372111
  • nic-hdl: OMZ4-RIPE
  • notify: noc@itrtc.ru
  • mnt-by: OVERTA-MNT
  • created: 2013-01-15T06:21:59Z
  • last-modified: 2013-01-15T06:21:59Z
  • source: RIPE

 42.116.26.112

inetnum:42.116.16.0 - 42.116.31.255
netname:FPT-STATICIP-NET
country:vn
descr:FPT Telecom Company
descr:2nd floor FPT Building, Pham Hung Road, Cau Giay District, Hanoi
admin-c:TTH19-AP
tech-c:NOC21-AP
status:ALLOCATED NON-PORTABLE
remarks:For spamming matters, mail to abuse@fpt.vn
changed:hm-changed@vnnic.net.vn 20120809
mnt-by:MAINT-VN-FPT
mnt-irt:IRT-VNNIC-AP
source:APNIC
irt:IRT-VNNIC-AP
address:Ha Noi, VietNam
phone:+84-4-35564944
fax-no:+84-4-37821462
e-mail:hm-changed@vnnic.net.vn
abuse-mailbox:hm-changed@vnnic.net.vn
admin-c:PT174-AP
tech-c:NTTT1-AP
auth:# Filtered
mnt-by:MAINT-VN-VNNIC
changed:hm-changed@vnnic.net.vn 20101108
source:APNIC

Monday, June 26, 2017

DNS traffic, Port 53, AWS

Update: @colmmacc  was kind enough to get back to me with these comments on Twitter if you are looking for AWS DNS CIDRs:

Will look at better JSON description. In the meantime, all of Route 53 is in 205.251.192.0/19. DNS needs TCP/53 open too for large answers. We'll add more IPs to Route 53 over time too. But unlikely to ever remove.

----

Taking a look at the IP addresses my EC2 instance attempts to connect to for DNS.

Unfortunately Amazon does not publish which IP ranges are specifically for DNS on this IP ranges list which makes it hard to set specific rules for DNS in NACLs or security groups.

https://ip-ranges.amazonaws.com/ip-ranges.json

Looks like my EC2 instance attempted to connect to the following IPs. Since this is a WatchGuard Firebox Cloud some of these IPs could be related to WatchGuard however the names are not resolving to WatchGuard DNS entries. So is this AWS DNS traffic or WatchGuard DNS traffic...can explore this further but is making it a bit complicated to create network rules that only allow my instance to go to the desired DNS server.


205.251.194.62 53 ns-574.awsdns-07.net.
205.251.195.90 53 ns-858.awsdns-43.net.
85.115.52.190 53 cluster-a.mailcontrol.com.
205.251.194.153 53 ns-665.awsdns-19.net.
205.251.194.153 53 ns-665.awsdns-19.net.
205.251.197.166 53 ns-1446.awsdns-52.org.
216.69.185.47 53 ns73.domaincontrol.com.
64.95.61.5 53 dns3-1.acs.pnap.net.
103.243.111.211 53 Comtouch?? India??

What's the problem? If an instance goes to the incorrect DNS server this could pose a serious security problem. If an instance resolves a DNS name to the wrong IP address it could potentially be connecting to a rogue host due to the incorrectly resolved name. Perhaps non-AWS traffic is related to a WatchGuard service. More inspection is needed.

So what to do...it looks like the addresses with awsdns-xx in the name are in this AWS global IP range:

   {
      "ip_prefix": "205.251.192.0/19",
      "region": "GLOBAL",
      "service": "AMAZON"
    },

It looks like the service is using UDP (protocol 17).

So for now will allow egress traffic (initiated from my instance to the Internet) on port 53 to the global AWS range above on protocol 17 and ephemeral ports inbound. We'll see what happens...



Monday, June 19, 2017

Traffic between Level 3 and Amazon

Traffic seems to be lagging between Level 3 and Amazon network right now.

Long time between 10 and 16....

10  4.16.168.34 (4.16.168.34)  320.557 ms  499.070 ms  359.076 ms
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * 205.251.232.225 (205.251.232.225)  196.417 ms *

Tuesday, June 13, 2017

Home IOT Ports ~ Echo, Apple and Interesting

Amazon Echo - so she can "understand" you:
33434 UDP
23.20.0.0-23.23.255.255

Apple Push Notifications
Ports listed on this page:
https://support.apple.com/en-us/HT203609
2195 TCP
2196 TCP
5223 TCP
Fall back if can't reach 5223  TCP
17.0.0.0-17.255.255

Google Play

I have read on various unofficial and not super clear web sites that the following ports are required for Google Play

5228-5223 TCP

I don't use Google Play and the odd thing is that traffic for this port is attempting to go out on my network to an Amazon IP. Is this something Amazonian or something trying to get out of my network using same ports as Google Play?

54.241.171.202