Re: UDP flood 28001-28003

[peanutbadr () HOTMAIL COM (Andrew Badr)]

These ports are used by servers for the very popular online game "Starsiege:
Tribes". They may have some other use, but not that I know of.

> From: George <greerga () ENTROPY MUC MUOHIO EDU>
> Reply-To: George <greerga () ENTROPY MUC MUOHIO EDU>
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: UDP flood 28001-28003
> Date: Wed, 8 Mar 2000 02:27:48 -0500
>
> I don't remember anything close to this lately, nor do I see it in the past
> two months on a cursory check, so:
>
> Anyone know what it could've been?
>
> Sample lines:
>
> Packet log: input ACCEPT eth0 PROTO=17 128.61.56.54:28001
> xxx.yyy.zzz.aaa:2578 L=439 S=0x00 I=34503 F=0x0000 T=115 (#22)
>
> Packet log: input ACCEPT eth0 PROTO=17 204.196.178.73:28001
> xxx.yyy.zzz.aaa:2583 L=244 S=0x00 I=14741 F=0x0000 T=116 (#22)
>
> Packet log: input ACCEPT eth0 PROTO=17 158.155.0.12:28001
> xxx.yyy.zzz.aaa:2581 L=854 S=0x00 I=57622 F=0x0000 T=117 (#22)
>
> From Mar 7 21:29:24 to Mar 8 01:19:33, I was flooded on ports 28001, 28002,
> 28003 with UDP traffic.  The network addresses/ports were (uniq -c):
>
>      19 12.17.213.142:28001
>      19 12.17.213.142:28002
>      19 128.61.56.54:28001
>      19 129.118.17.85:28001
>      19 150.252.14.155:28001
>      19 158.155.0.12:28001
>      19 195.243.64.148:28001
>      19 199.4.33.201:28001
>      19 204.196.178.73:28001
>      19 207.152.153.10:28001
>      19 207.218.73.240:28001
>      19 207.250.241.242:28001
>      19 207.250.241.242:28002
>      19 207.250.241.242:28003
>      19 208.236.64.50:28001
>      19 209.242.64.134:28001
>      19 212.122.128.205:28001
>      11 24.131.25.82:28001
>      12 24.4.195.123:28001
>      12 24.4.82.52:28001
>      19 4.33.171.132:28001
>      17 4.33.171.135:28001
>      19 63.162.143.5:28001
>      19 63.162.143.6:28001
>      19 63.162.143.6:28002
>      19 63.224.4.144:28001
>
> Hosts resolve to:
>
> 12.17.213.142: lm213142.svvi.net
> 128.61.56.54: r56h54.res.gatech.edu
> 129.118.17.85: blast.me.ttu.edu
> 150.252.14.155: Host not found.
> 158.155.0.12: ra.compgen.com
> 195.243.64.148: Host not found.
> 199.4.33.201: mr2-201.mrtc.org
> 204.196.178.73: Host not found, try again.
> 207.152.153.10: Host not found.
> 207.218.73.240: cod.dgweb.com
> 207.250.241.242: pc242.cp.inc.net
> 208.236.64.50: Host not found.
> 209.242.64.134: death.fraggershall.com
> 212.122.128.205: inferno.gamesurf.de
> 24.131.25.82: nic-c25-082.mw.mediaone.net
> 24.4.195.123: cx187565-b.mnchs1.ct.home.com
> 24.4.82.52: cx987407-a.ocnsd1.sdca.home.com
> 4.33.171.132: evrtwa1-ar3-171-132.dsl.gtei.net
> 4.33.171.135: evrtwa1-ar3-171-135.dsl.gtei.net
> 63.162.143.5: Host not found.
> 63.162.143.6: Host not found.
> 63.224.4.144: 63-224-4-144.customers.uswest.net
>
> The three I checked out were all Windows 95/98/NT.  Two were pegged by
> queso guessing on a closed port and the third was running IIS/4.0.
>
> -George Greer

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com