Security Incidents mailing list archives
UDP traffic to net and broadcast addresses
From: Zen <zen () kill-9 it>
Date: Wed, 2 Apr 2003 12:12:14 +0200
Hi, debugging on a customer router I trampled over some unusual traffic pattern: it is composed by udp packets, always from the same ip address random source port directed to the network and broadcast addresses of a network random destination port time-spaced around 2 seconds. This is an example from the logs Apr 2 10:41:03 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(14673) -> bcast-addr(146), 1 packet Apr 2 10:41:05 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(41383) -> bcast-addr(558), 1 packet Apr 2 10:41:08 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(17499) -> bcast-addr(328), 1 packet Apr 2 10:41:10 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(1124) -> bcast-addr(940), 1 packet Apr 2 10:41:11 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(32969) -> bcast-addr(549), 1 packet Apr 2 10:41:14 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(19998) -> net-addr(112), 1 packet Apr 2 10:41:15 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(24405) -> net-addr(251), 1 packet Apr 2 10:41:17 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(6827) -> bcast-addr(497), 1 packet they are around 8900 starting 3am (log rotate date -- didn't check before, still). It is highly probable this is a tempted information gathering act -- but why using network and broadcast addresses? Most modern tcp/ip stacks wouldn't answer (well, some ciscos actually do, depending on config..) Any ideas? bye, -- My home isn't cluttered; it's "passage restrictive." zen () kill-9 it . Geek . And proud of it . http://www.kill-9.it/jargon/html/entry/zen.html ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
Current thread:
- UDP traffic to net and broadcast addresses Zen (Apr 02)
- <Possible follow-ups>
- RE: UDP traffic to net and broadcast addresses Joshua Wright (Apr 03)