Mstmg-sstp (port 6601) traffic


#1

This is not about NTP, but possibly about using pool servers for evil purposes. This may also be a bug.

I’m seeing an odd amount of traffic originating from TCP port 6601 (mstmg-sstp, Microsoft Threat Management Gateway SSTP). I don’t have detailed stats from that time, but my inbound traffic increased yesterday 15th December at around 16:00 UTC. The ports that this thing tries to access are telnet, ssh, ms-wbt-server, netbios-ssn, epmap and microsoft-ds. There are also quite a lot of ICMP Echo Request packets, but I’m unsure if those are related.

# tcpdump -n -c 100 src port mstmg-sstp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:02:37.493951 IP 101.86.95.23.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 1, win 29200, length 0
18:02:37.527424 IP 101.86.250.66.mstmg-sstp > 173.255.246.13.microsoft-ds: Flags [S], seq 1, win 29200, length 0
18:02:37.567695 IP 58.35.202.2.mstmg-sstp > 173.255.246.13.netbios-ssn: Flags [S], seq 1, win 29200, length 0
18:02:37.586283 IP 58.54.23.162.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 1, win 29200, length 0
18:02:37.605432 IP 115.204.195.218.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 1, win 29200, length 0
18:02:37.614311 IP 183.128.71.170.mstmg-sstp > 173.255.246.13.netbios-ssn: Flags [S], seq 1, win 29200, length 0
18:02:37.623415 IP 125.122.83.234.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 3, win 29200, length 0
18:02:37.644457 IP 116.226.88.73.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 1, win 29200, length 0
18:02:37.653912 IP 219.143.181.154.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 3, win 29200, length 0
18:02:37.661580 IP 60.186.21.110.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 2, win 29200, length 0
18:02:37.793386 IP 115.193.184.184.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 1, win 29200, length 0
18:02:37.793430 IP 222.215.249.170.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 5, win 29200, length 0
18:02:37.800904 IP 115.205.28.96.mstmg-sstp > 173.255.246.13.netbios-ssn: Flags [S], seq 2, win 29200, length 0
18:02:37.841975 IP 116.11.131.167.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 1, win 29200, length 0
18:02:37.861474 IP 122.235.195.229.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 1, win 29200, length 0
18:02:37.877278 IP 125.120.81.116.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 2, win 29200, length 0
18:02:37.893643 IP 219.143.151.4.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 1, win 29200, length 0
18:02:37.922343 IP 115.216.14.237.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 1, win 29200, length 0
18:02:37.922976 IP 58.39.23.50.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 2, win 29200, length 0
18:02:37.936173 IP 116.238.232.224.mstmg-sstp > 173.255.246.13.netbios-ssn: Flags [S], seq 1, win 29200, length 0
18:02:37.937530 IP 1.202.3.203.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 1, win 29200, length 0
18:02:38.017401 IP 60.177.78.95.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 1, win 29200, length 0
18:02:38.038332 IP 101.87.110.59.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 2, win 29200, length 0
18:02:38.056538 IP 115.226.150.250.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 1, win 29200, length 0
18:02:38.107308 IP 114.84.39.131.mstmg-sstp > 173.255.246.13.microsoft-ds: Flags [S], seq 2, win 29200, length 0
18:02:38.111298 IP 183.156.138.3.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 1, win 29200, length 0
18:02:38.120191 IP 124.126.26.21.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 1, win 29200, length 0
18:02:38.248802 IP 183.128.28.153.mstmg-sstp > 173.255.246.13.netbios-ssn: Flags [S], seq 2, win 29200, length 0
18:02:38.248865 IP 115.197.196.192.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 1, win 29200, length 0
18:02:38.256416 IP 115.204.232.141.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 1, win 29200, length 0
18:02:38.294304 IP 180.154.218.226.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 3, win 29200, length 0
18:02:38.302394 IP 60.162.232.2.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 2, win 29200, length 0
18:02:38.322536 IP 222.64.82.176.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 1, win 29200, length 0
18:02:38.331164 IP 101.86.235.241.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 2, win 29200, length 0
18:02:38.331275 IP 115.228.241.95.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 2, win 29200, length 0
18:02:38.351347 IP 118.122.55.122.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 1, win 29200, length 0
18:02:38.361284 IP 218.0.182.121.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 1, win 29200, length 0
18:02:38.387756 IP 1.202.32.125.mstmg-sstp > 173.255.246.13.netbios-ssn: Flags [S], seq 1, win 29200, length 0
18:02:38.390683 IP 36.103.55.43.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 1, win 29200, length 0
18:02:38.407092 IP 180.158.190.39.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 1, win 29200, length 0
18:02:38.438315 IP 114.94.184.222.mstmg-sstp > 173.255.246.13.netbios-ssn: Flags [S], seq 1, win 29200, length 0
18:02:38.493283 IP 123.168.129.84.mstmg-sstp > 173.255.246.13.microsoft-ds: Flags [S], seq 1, win 29200, length 0
18:02:38.515397 IP 122.234.96.91.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 1, win 29200, length 0
18:02:38.537517 IP 101.86.250.66.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 1, win 29200, length 0
18:02:38.584140 IP 58.35.202.2.mstmg-sstp > 173.255.246.13.microsoft-ds: Flags [S], seq 1, win 29200, length 0
18:02:38.649503 IP 60.186.21.110.mstmg-sstp > 173.255.246.13.netbios-ssn: Flags [S], seq 2, win 29200, length 0
18:02:38.656697 IP 115.204.195.218.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 1, win 29200, length 0
18:02:38.660876 IP 125.122.83.234.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 3, win 29200, length 0
18:02:38.660917 IP 116.226.88.73.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 1, win 29200, length 0
18:02:38.663815 IP 219.143.181.154.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 3, win 29200, length 0
18:02:38.727399 IP 60.186.52.48.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 1, win 29200, length 0
18:02:38.820566 IP 115.193.184.184.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 1, win 29200, length 0
18:02:38.845060 IP 116.230.229.173.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 1, win 29200, length 0
18:02:38.916410 IP 219.143.151.4.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 1, win 29200, length 0
18:02:38.930352 IP 115.216.14.237.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 1, win 29200, length 0
18:02:38.942390 IP 58.39.23.50.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 2, win 29200, length 0
18:02:38.947480 IP 116.238.232.224.mstmg-sstp > 173.255.246.13.microsoft-ds: Flags [S], seq 1, win 29200, length 0
18:02:38.951669 IP 1.202.3.203.mstmg-sstp > 173.255.246.13.netbios-ssn: Flags [S], seq 1, win 29200, length 0
18:02:38.983367 IP 218.83.70.86.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 1, win 29200, length 0
18:02:38.996712 IP 101.93.73.236.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 1, win 29200, length 0
18:02:39.040500 IP 60.177.78.95.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 1, win 29200, length 0
18:02:39.047594 IP 101.87.110.59.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 2, win 29200, length 0
18:02:39.088083 IP 115.226.150.250.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 1, win 29200, length 0
18:02:39.122260 IP 114.84.39.131.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 2, win 29200, length 0
18:02:39.135422 IP 124.126.26.21.mstmg-sstp > 173.255.246.13.netbios-ssn: Flags [S], seq 1, win 29200, length 0
18:02:39.151075 IP 183.156.138.3.mstmg-sstp > 173.255.246.13.netbios-ssn: Flags [S], seq 1, win 29200, length 0
18:02:39.226912 IP 115.224.172.113.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 3, win 29200, length 0
18:02:39.254510 IP 115.197.196.192.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 1, win 29200, length 0
18:02:39.262314 IP 115.204.232.141.mstmg-sstp > 173.255.246.13.netbios-ssn: Flags [S], seq 1, win 29200, length 0
18:02:39.294403 IP 115.193.134.108.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 1, win 29200, length 0
18:02:39.304471 IP 180.154.218.226.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 3, win 29200, length 0
18:02:39.304522 IP 180.171.190.232.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 1, win 29200, length 0
18:02:39.338518 IP 222.64.82.176.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 1, win 29200, length 0
18:02:39.349159 IP 101.86.235.241.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 2, win 29200, length 0
18:02:39.357323 IP 118.122.55.122.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 1, win 29200, length 0
18:02:39.388363 IP 218.0.182.121.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 1, win 29200, length 0
18:02:39.432812 IP 115.199.34.182.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 5, win 29200, length 0
18:02:39.450376 IP 114.94.184.222.mstmg-sstp > 173.255.246.13.microsoft-ds: Flags [S], seq 1, win 29200, length 0
18:02:39.503929 IP 123.168.129.84.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 1, win 29200, length 0
18:02:39.523956 IP 122.234.96.91.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 1, win 29200, length 0
18:02:39.600334 IP 58.35.202.2.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 1, win 29200, length 0
18:02:39.634249 IP 183.128.71.170.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 1, win 29200, length 0
18:02:39.649350 IP 115.204.195.218.mstmg-sstp > 173.255.246.13.netbios-ssn: Flags [S], seq 1, win 29200, length 0
18:02:39.649460 IP 125.122.83.234.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 3, win 29200, length 0
18:02:39.659506 IP 116.226.88.73.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 1, win 29200, length 0
18:02:39.668978 IP 116.238.155.199.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 6, win 29200, length 0
18:02:39.669013 IP 219.143.181.154.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 3, win 29200, length 0
18:02:39.749294 IP 60.186.52.48.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 1, win 29200, length 0
18:02:39.833387 IP 115.193.184.184.mstmg-sstp > 173.255.246.13.netbios-ssn: Flags [S], seq 1, win 29200, length 0
18:02:39.833401 IP 116.230.229.173.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 1, win 29200, length 0
18:02:39.837670 IP 115.205.28.96.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 2, win 29200, length 0
18:02:39.852809 IP 115.229.132.11.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 1, win 29200, length 0
18:02:39.880113 IP 115.216.7.183.mstmg-sstp > 173.255.246.13.ssh: Flags [S], seq 1, win 29200, length 0
18:02:39.938333 IP 219.143.151.4.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 1, win 29200, length 0
18:02:39.946218 IP 115.216.14.237.mstmg-sstp > 173.255.246.13.netbios-ssn: Flags [S], seq 1, win 29200, length 0
18:02:39.959239 IP 116.238.232.224.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 1, win 29200, length 0
18:02:39.959317 IP 1.202.3.203.mstmg-sstp > 173.255.246.13.microsoft-ds: Flags [S], seq 1, win 29200, length 0
18:02:39.967315 IP 58.39.23.50.mstmg-sstp > 173.255.246.13.epmap: Flags [S], seq 2, win 29200, length 0
18:02:39.990273 IP 218.83.70.86.mstmg-sstp > 173.255.246.13.telnet: Flags [S], seq 1, win 29200, length 0
18:02:39.996328 IP 182.132.225.225.mstmg-sstp > 173.255.246.13.ms-wbt-server: Flags [S], seq 1, win 29200, length 0

I’m seeing this on all my pool servers (seemingly in proportion to their usage in the pool), but not at all on my home server which is not in the pool. This leads me to believe that the target of that traffic is pool servers.

Anyone have thoughts of what’s going on?


#2

This is still going on, and I still don’t know why. The source port is no longer only 6601, but other random ports are also used. The majority of the traffic is to ports 22 (ssh), 3389 (ms-wbt-server), 23 (telnet). 139 (netbios-ssn), 135 (epmap) and 445 (microsoft-ds). Since the time I posted the above 23 days ago, my firewall has dropped around 134 million packets (5GB of traffic) to those ports in total.

In addition, ICMP echo requests continue to be a nuisance. I measured the ICMP echo request (ping) rate for the last 24 hours, and at this rate I’m going to get around 68 million echo requests per month (around 5GB of traffic).

You may want to check what your server is sending in response to incoming traffic. “tcpdump -c100 -n src host 192.0.2.0 and src port not 123” may show something (replace the IP address with yours). If your server is also a web server, you may want to exclude web traffic by adding “and src port not 80 and src port not 443” etc. You may also want to allow incoming pings only from some specific hosts and drop the rest (iptables -A INPUT -p icmp --icmp-type 8 -j DROP, adjust accordingly to suit your configuration).


#3

NTP Pool servers do get HTTP traffic, though. Frequently nonsense (DNS resolver bugs?), sometimes HTTP time clients, often search engines crawling http://pool.ntp.org/.

Every IPv4 address gets some degree of unwanted traffic, though.


#4

“Some” is a bit of an understatement in my experience. :-/