Educause Security Discussion mailing list archives

UDP Port scans

From: Joseph Karam <jkaram () HAMILTON EDU>
Date: Fri, 2 Feb 2007 09:11:46 -0500

Folks,

We are seeing an increasing number of UDP port scans which started late
last semester and has now gone three weeks into the new semester.  We
are basically seeing student computers scanning 100s to 1000s of
off-campus addresses on a single UDP source port (one computer might use
UDP port 19038, the next one might use 19802, all random) and the
targets they are hitting are all on different ports.  Right now I've got
about 40-50 student computers in this condition.

Here is a sample of the output I see from one student computer:

Dest. IP Addr.    Start date                                End
date                                 Protocol  Src Port  Dst Port
24.116.40.145   February 1, 2007 7:03:12 PM  February 1, 2007 7:07:34
PM  UDP       19802     35788
74.114.158.75   February 1, 2007 7:03:12 PM  February 1, 2007 7:07:33
PM  UDP       19802     31394
70.115.61.169   February 1, 2007 7:03:12 PM  February 1, 2007 7:07:34
PM  UDP       19802     23578
24.144.43.245   February 1, 2007 7:03:12 PM  February 1, 2007 7:07:37
PM  UDP       19802     39572
75.19.109.227   February 1, 2007 7:03:12 PM  February 1, 2007 7:07:39
PM  UDP       19802     37026
...

Right now none of the students are coming forward for help, so I'm not
sure if this is just from music file sharing or if they have an actual
virus/spyware/worm, etc.

Has anyone else seen similar activity?

Thanks-

Joe

--
Joe Karam
Director, Network and Telecommunications Services
Information Technology Services, Hamilton College
jkaram () hamilton edu
315-859-4167
http://www.hamilton.edu/college/its/network_services

Current thread:

UDP Port scans Joseph Karam (Feb 02)
- <Possible follow-ups>
- Re: UDP Port scans Russell Fulton (Feb 02)
- Re: UDP Port scans Chris Edwards (Feb 02)
- Re: UDP Port scans Russell Fulton (Feb 02)