Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Anyone else seeing packet probes using the chaos protocol? (PROTO=16) SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Anyone else seeing packet probes using the chaos protocol? (PROTO=16)
Greetings.

Since April 9th I'm seeing a sudden influx of packets using the chaos IP protol (PROTO=16). Can't say I've ever seen those before, but over the last 3 days I've received almost 80,000 packets, sent from 17 IP addresses in vastly different locations:

23.21.156.165
23.91.14.101
50.177.219.197
54.225.174.110
69.197.21.185
71.46.106.57
71.76.244.5
82.101.193.147
83.233.71.192
88.198.46.60
107.161.23.215
107.191.126.13
107.208.171.82
108.162.205.83
108.51.230.171
151.231.243.2

Due to this it seems reasonable to assume there's a botnet behind it all, but I'm have a very hard time finding any information on attacks using IP procotol 16, a.k.a. "chaos" (http://en.wikipedia.org/wiki/Chaosnet)

Is anyone else seeing this as well? Any clues as to what might be going on, and what the likely attack vector might be?

Thanks in advance for sharing your insight!

Kind regards,

- Richard.
RG

2 Posts

Sign Up for Free or Log In to start participating in the conversation!