Educause Security Discussion mailing list archives
Re: Traffic to UDP Port 80
From: Matthew Gracie <graciem () CANISIUS EDU>
Date: Fri, 26 Oct 2007 10:12:14 -0400
John Kristoff wrote:
On Fri, 26 Oct 2007 08:41:23 -0400 "Babb, Robert" <babbr () UNION EDU> wrote:I've seen a couple of instances where a MAC is sending huge amounts of traf= fic to a computer in the netherlands. Source port always UDP 57xxx and the= dest. port is always UDP port 80. Has anybody else ever seen this? Anybo= dy know what could cause it?A Macintosh or a MAC address? Not that it matters much, but yes this sort of thing is not uncommon. Are these hosts typically unix-based, running SSH? It's also not uncommon for an account to have been brute forced whereupon a simple Perl-based UDP flooder is run from the account. John
One quick test is to run "who" and "ps" on the machine, and look for a process named something like "udp.pl". That seems to be a pretty common flooding utility that the kids are using these days. --Matt -- Matt Gracie (716) 888-2403 Information Security Administrator graciem () canisius edu Canisius College ITS 425531N / 0785109W http://www2.canisius.edu/~graciem/graciem_public_key.gpg
Current thread:
- Traffic to UDP Port 80 Babb, Robert (Oct 26)
- <Possible follow-ups>
- Re: Traffic to UDP Port 80 John Kristoff (Oct 26)
- Re: Traffic to UDP Port 80 Matthew Gracie (Oct 26)
- Re: Traffic to UDP Port 80 Andres Almanza (Oct 26)
- Re: Traffic to UDP Port 80 RLVaughn (Oct 26)
- Re: Traffic to UDP Port 80 Curt Wilson (Oct 26)
- FW: Traffic to UDP Port 80 Babb, Robert (Oct 26)