Educause Security Discussion mailing list archives

Re: Traffic to UDP Port 80

From: John Kristoff <jtk () DEPAUL EDU>
Date: Fri, 26 Oct 2007 08:31:41 -0500

On Fri, 26 Oct 2007 08:41:23 -0400
"Babb, Robert" <babbr () UNION EDU> wrote:

I've seen a couple of instances where a MAC is sending huge amounts of traf=
fic to a computer in the netherlands.  Source port always UDP 57xxx and the=
 dest. port is always UDP port 80.  Has anybody else ever seen this?  Anybo=
dy know what could cause it?


A Macintosh or a MAC address?  Not that it matters much, but yes this
sort of thing is not uncommon.  Are these hosts typically unix-based,
running SSH?  It's also not uncommon for an account to have been brute
forced whereupon a simple Perl-based UDP flooder is run from the account.

John

Current thread:

Traffic to UDP Port 80 Babb, Robert (Oct 26)
- <Possible follow-ups>
- Re: Traffic to UDP Port 80 John Kristoff (Oct 26)
- Re: Traffic to UDP Port 80 Matthew Gracie (Oct 26)
- Re: Traffic to UDP Port 80 Andres Almanza (Oct 26)
- Re: Traffic to UDP Port 80 RLVaughn (Oct 26)
- Re: Traffic to UDP Port 80 Curt Wilson (Oct 26)
- FW: Traffic to UDP Port 80 Babb, Robert (Oct 26)