Security Incidents mailing list archives

Re: UDP port 500 traffic from two clients

From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Mon, 28 Jan 2002 22:25:42 +0100 (CET)

On Mon, 28 Jan 2002, Gary Flynn wrote:

Chris Wilkes wrote:


I recently moved and changed IP addresses within my ISP's block and two
IP addresses from mediaone.net and home.com hit me a couple of times a
minute with a UDP request to port 500.


Code Red and Nimda infected machines will reportedly generate port 
500 traffic.


Port 500 is NOT part of CodeRed. I doubt that nimda uses them.

I get hit enough by them but just on port 80. To get a feel of what a 
normal XS4ALL ADSL server get hit by have a look at: 
http://hvdkooij.xs4all.nl/fwlog/

Only SMTP and HTTP is normal traffic and not logged there.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij () vanderkooij org         http://hvdkooij.xs4all.nl/
            Don't meddle in the affairs of sysadmins,
            for they are subtle and quick to anger.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

UDP port 500 traffic from two clients Chris Wilkes (Jan 28)
- Re: UDP port 500 traffic from two clients Glen Mehn (Jan 28)
- Re: UDP port 500 traffic from two clients Gary Flynn (Jan 28)
  - Re: UDP port 500 traffic from two clients Hugo van der Kooij (Jan 28)
- <Possible follow-ups>
- RE: UDP port 500 traffic from two clients McCammon, Keith (Jan 28)
- RE: UDP port 500 traffic from two clients Toni Heinonen (Jan 28)
  - RE: UDP port 500 traffic from two clients Greg A. Woods (Jan 28)
    - RE: UDP port 500 traffic from two clients Fernando Cardoso (Jan 29)
    - RE: UDP port 500 traffic from two clients Greg A. Woods (Jan 29)