UDP 8888 HNMNBie library
Internet traffic whips past at the speed of light. It is only possible to detect a tiny subset of anomalous events in real time. The data is recorded, as much as possible and analyzed endlessly. Deep mining AIs flagging events for human analysts.
Petty Officer 3rd Class Harold Snyder was almost ready to clock out for lunch when one of these events filtered up from SOC 23.
NAVTRAFCAN023 16 reports UDP traffic DST 8888 1 byte data 0xC1 but differing checksums
User Datagram Protocol, (UDP) is mildly interesting anytime it is used for something other than DNS. 8888 has no real definitive use, it ranges from DSL Speedtest to Heroes of Might and Magic 5 and anything else inconclusive. 1 byte of data is a bit odd, but UDP is an odds and ends protocol. However, the checksum should not change. Since the beginning of time, modulating the checksum has been used to send messages, a so-called covert channel, but this one so well known it was anything by covert.
Snyder attached his analysis and for completeness submitted it to the NAVTRATHREAT Intelligence database in the event there were more of them.
Boy howdy. There were hundreds, thousands, millions and they had been going on for a long time. Task complete, report filed, Harold Snyder left the NOC and headed for the snack bar to enjoy the Camp Smith special, have you ever had a hankering for tuna?
= = =
Second level threat analyst Sheila Lencioni picked up the ticket. If there weren't so durn many of them she would clear it, but this deserved further analysis. The natural assumption was these are inbound probes. But there are a lot of problems with that. There is no automatic response with UDP, if the service isn't there the packet is ignored. What if these weren't probes at all, what if they were responses. Even with the resources available to a second level analyst it would take several hours to run a report against all the SRC IPs. Her shift was almost over when the results popped up, 97% of them were home cable and DSL IPs.
She reran the same analysis as Petty Officer Snyder, nothing about port 8888 really stood out, it's not like some home video game could take the world by storm without them knowing. Then, on a simple whim, she reran the query for geographic locations. Woah! These addresses were not evenly distributed around the world, they were almost entirely in North America and clustered on the West Coast at that. Something didn't make sense, but Lencioni knew the answer was above her paygrade. She clicked escalate. Someone besides her could initiate the search on what would clearly be the home IPs of US citizens.
= = =
Bangle Racer was not surprised to see Lencioni's report, he just didn't want an audit trail showing his section doing the research. They had already exposed their BGP node as12389 by injecting the traffic. It looked like they had pulled that off. The U.S. DoD has tons of unused UPv4 address space and this test had to be done with v4 or the traceback would be immediate with hell to pay. So they spoofed millions of IP addresses with calls to the HNMNBie Library port. They still had to be selective, very selective, you muck around with routing and the backbone bean counters will find you for sure and burning an Autonomous System would be a disaster, they don't grow on trees. So they went with their best guesses. Now they had four probable locations for HNMNBie clusters, San Francisco, Seattle/Everett, Portland and Lake Tapps. He let the report sit for a few days before pulling it. If you are patient and let the dust settle, it makes it much harder for the scrubber AIs to pick up on things.
Petty Officer 3rd Class Harold Snyder was almost ready to clock out for lunch when one of these events filtered up from SOC 23.
NAVTRAFCAN023 16 reports UDP traffic DST 8888 1 byte data 0xC1 but differing checksums
User Datagram Protocol, (UDP) is mildly interesting anytime it is used for something other than DNS. 8888 has no real definitive use, it ranges from DSL Speedtest to Heroes of Might and Magic 5 and anything else inconclusive. 1 byte of data is a bit odd, but UDP is an odds and ends protocol. However, the checksum should not change. Since the beginning of time, modulating the checksum has been used to send messages, a so-called covert channel, but this one so well known it was anything by covert.
Snyder attached his analysis and for completeness submitted it to the NAVTRATHREAT Intelligence database in the event there were more of them.
Boy howdy. There were hundreds, thousands, millions and they had been going on for a long time. Task complete, report filed, Harold Snyder left the NOC and headed for the snack bar to enjoy the Camp Smith special, have you ever had a hankering for tuna?
= = =
Second level threat analyst Sheila Lencioni picked up the ticket. If there weren't so durn many of them she would clear it, but this deserved further analysis. The natural assumption was these are inbound probes. But there are a lot of problems with that. There is no automatic response with UDP, if the service isn't there the packet is ignored. What if these weren't probes at all, what if they were responses. Even with the resources available to a second level analyst it would take several hours to run a report against all the SRC IPs. Her shift was almost over when the results popped up, 97% of them were home cable and DSL IPs.
She reran the same analysis as Petty Officer Snyder, nothing about port 8888 really stood out, it's not like some home video game could take the world by storm without them knowing. Then, on a simple whim, she reran the query for geographic locations. Woah! These addresses were not evenly distributed around the world, they were almost entirely in North America and clustered on the West Coast at that. Something didn't make sense, but Lencioni knew the answer was above her paygrade. She clicked escalate. Someone besides her could initiate the search on what would clearly be the home IPs of US citizens.
= = =
Bangle Racer was not surprised to see Lencioni's report, he just didn't want an audit trail showing his section doing the research. They had already exposed their BGP node as12389 by injecting the traffic. It looked like they had pulled that off. The U.S. DoD has tons of unused UPv4 address space and this test had to be done with v4 or the traceback would be immediate with hell to pay. So they spoofed millions of IP addresses with calls to the HNMNBie Library port. They still had to be selective, very selective, you muck around with routing and the backbone bean counters will find you for sure and burning an Autonomous System would be a disaster, they don't grow on trees. So they went with their best guesses. Now they had four probable locations for HNMNBie clusters, San Francisco, Seattle/Everett, Portland and Lake Tapps. He let the report sit for a few days before pulling it. If you are patient and let the dust settle, it makes it much harder for the scrubber AIs to pick up on things.
Comments
Post a Comment