[emanicslab] Suspicious Activity on EmanicsLab nodes host1-plb.loria.fr and host2-plb.loria.fr

David Hausheer hausheer at ifi.uzh.ch
Sat Jan 4 23:59:36 CET 2014 

Dear Emmanuel, all,

In the meantime, I have done some further analysis of the connections 
(see attached file):

- 10% of the flows originate from EmanicsLab PLC and PlanetLab Europe 
which can be considered regular behavior (e.g. related to Ganglia, etc.)
- 45% of the remaining flows go to host3-plb.loria.fr and 
host4-plb.loria.fr which are NOT EmanicsLab hosts.

Out of the unidentified traffic to host1-plb.loria.fr and 
host2-plb.loria.fr:

- 28% of the flows originate from sources that conntect to BOTH 
host1-plb.loria.fr and host2-plb.loria.fr, however not to 
host3-plb.loria.fr, thus they are probably not scanning attacks
- 65% of the flows go to host1-plb.loria.fr
- 38% of the packets (20% of traffic / 4% of the flows) originates from 
the Amazon Cloud, going to host1-plb.loria.fr

In the respective timeframe Dec 17 00:00 - 13:00 CET the only SSH login 
on host1-plb.loria.fr was from slice uzh_scraper, however, this may not 
mean anything. It is no longer possible to exactly identify the 
responsible slice for the traffic since the netflow logs are kept on the 
hosts for a limited time only.

Overall, we can conclude:

- More than half of the flows either originate from EmanicsLab PLC or go 
to PlanetLab Europe hosts (not EmanicsLab), thus may be considered 
"regular" traffic
- The exact slice responsible for the traffic can no longer be 
identified, and there is no clear evidence that the traffic was related 
to an attack.

@Emmanuel, I propose that you open the two hosts again and that we 
closely monitor them over the next few days for any suspicious activity.

Best regards
David

On 28.12.2013 10:01, David Hausheer wrote:
> I already checked but could not find anything so far. Will try again to dig deeper in the next days.
>
> Best regards
> David
>
> On Dec 27, 2013 11:24 PM, Juan Pablo Timpanaro <jptimpanaro at gmail.com> wrote:
>>
>> Hello David,
>>
>> Did you have some news regarding that "attack"?.
>>
>> Best,
>>
>>
>> On 19 December 2013 17:04, David Hausheer <hausheer at ps.tu-darmstadt.de> wrote:
>>>
>>> Thanks Andri,
>>>
>>> as soon as I will be able to login to the nodes, I may be able to get a better understanding as to which slice may have been the target of the "attack".
>>>
>>> Best regards
>>> David
>>>
>>>
>>> On 19.12.2013 09:43, Andri Lareida wrote:
>>>>
>>>> Dear David,
>>>>
>>>> The crawler itself does for sure not cause this behavior. The torrents
>>>> come from a portal via RSS, so there is the possibility that some very
>>>> popular torrents are in there. When BT clients from all over the world
>>>> try to connect to the Inria host when there is not client running I
>>>> imagine this could look like DDoS attack. Although, the traffic seems to
>>>> high for that.
>>>>
>>>> On the other hand there are many PlanetLab Hosts in the log.
>>>>
>>>> Lets see the more detailed information. This will help a lot. In the
>>>> meantime I can check what ports were announced.
>>>>
>>>> Cheers
>>>> Andri
>>>>
>>>>
>>>>
>>>>
>>>> On 12/19/2013 09:29 AM, Juan Pablo Timpanaro wrote:
>>>>>
>>>>> Dear Andri,
>>>>>
>>>>> Have you used a specific node (or nodes) to announce a specific,
>>>>> probably popular, content (movie,...)? A crawler itself can not
>>>>> (should not) produce this behavior. It seems more like an old-fashined
>>>>> DDoS, with INRIA nodes as targets.
>>>>>
>>>>> Looking forward for further information on those flows.
>>>>>
>>>>> Best,
>>>>>
>>>>> On Dec 19, 2013, at 9:19 AM, Andri Lareida wrote:
>>>>>
>>>>>> Dear David,
>>>>>>
>>>>>> As far as I understand, the log file shows incomming connections. I'm
>>>>>> testing a BitTorrent Tracker crawler at the moment. For that the
>>>>>> node  announces itself to several BitTorrent Tracker to get IPs. This
>>>>>> also means that the IP of the EmanicsLab node will be on the Tracker
>>>>>> and other hosts might try to connect to it. Since no BitTorrent
>>>>>> client is running on the node, no connection can be established.
>>>>>> Therefore, I can not explain that the flows have KB sizes. The node
>>>>>> also joins the BitTorrent DHT what might result in incomming
>>>>>> connections.
>>>>>>
>>>>>> Some more detailed information on ports and transport protocol would
>>>>>> help finding an answer.
>>>>>>
>>>>>> Regards
>>>>>> Andri
>>>>>>
>>>>>>
>>>>>>
>>>>>> Am 18.12.2013 18:59, schrieb David Hausheer:
>>>>>>>
>>>>>>> Dear EmanicsLab users,
>>>>>>>
>>>>>>> we have some suspicious activity ongoing on EmanicsLab nodes
>>>>>>> host1-plb.loria.fr and host2-plb.loria.fr
>>>>>>>
>>>>>>> Since those of you addressed explicitly in the Email header are
>>>>>>> running experiments including those nodes, I would like to
>>>>>>> understand if the traffic originates from any of your slices.
>>>>>>>
>>>>>>> Thus, please take a look at the attached log file, and let me know
>>>>>>> if the hostnames are familiar to you. It may also be that one of
>>>>>>> your slices has been hacked, in which case we would need to disable it.
>>>>>>>
>>>>>>> Thus, please inform me as soon as possible if
>>>>>>>
>>>>>>> a) you know that your slice IS the source of those connections
>>>>>>> b) you know that your slice is NOT the source of those connections
>>>>>>> c) you don't know (your slice may be hacked)
>>>>>>>
>>>>>>> Thanks you and best regards
>>>>>>> David
>>>>>>>
>>>>>>> On 18.12.2013 16:09, Emmanuel Nataf wrote:
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> The hosts : host1-plb.loria.fr <http://host1-plb.loria.fr/> and
>>>>>>>> host2-plb.loria.fr <http://host2-plb.loria.fr/> are down for security
>>>>>>>> reason.
>>>>>>>> Since last week a very large amount of connexions, coming from
>>>>>>>> everywhere (and probably not all registered nodes) threaten our
>>>>>>>> firewall.
>>>>>>>> I join the firewal log.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>> E. Nataf
>>>>>>>> INRIA Nodes
>>>>>>
>>>>>> _______________________________________________
>>>>>> emanicslab mailing list
>>>>>> emanicslab at lists.ifi.uzh.ch
>>>>>> https://lists.ifi.uzh.ch/listinfo/emanicslab
>>>>
>>>>
>>>
>>> --
>>> Prof. Dr. David Hausheer
>>>
>>> Technische Universitaet Darmstadt
>>> Dept. of Electrical Engineering & Information Technology
>>>
>>> Rundeturmstr. 10, Building S3/20, Room 225
>>> 64283 Darmstadt, Germany
>>> Phone: +49 6151 16 4280
>>> Fax: +49 6151 16 6152
>>> E-Mail: hausheer at ps.tu-darmstadt.de
>>> Web: http://www.ps.tu-darmstadt.de/
>>
>>
>>
>>
>> --
>>
>>
>> Juan Pablo Timpanaro
> _______________________________________________
> emanicslab mailing list
> emanicslab at lists.ifi.uzh.ch
> https://lists.ifi.uzh.ch/listinfo/emanicslab
>

-- 
+-----------------------------------------------------------+
| David Hausheer, Dr. sc. techn. ETH                        |
| Department of Informatics (IFI), University of Zurich     |
|-----------------------------------------------------------|
| Postal Address: Binzmuehlestrasse 14, CH-8050 Zurich      |
|-----------------------------------------------------------|
| Phone:  +41-44-635-4372 | VoIP:   sip:hausheer at ifi.uzh.ch |
| Fax:    +41-44-635-6809 | E-Mail:     hausheer at ifi.uzh.ch |
| Mobile: +41-79-336-4076 | Web: http://hausheer.osola.com/ |
+-----------------------------------------------------------+
-------------- next part --------------
A non-text attachment was scrubbed...
Name: attack.xlsx
Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Size: 77788 bytes
Desc: not available
URL: <http://lists.ifi.uzh.ch/pipermail/emanicslab/attachments/20140104/567191e3/attachment-0001.xlsx>

More information about the emanicslab mailing list