Educause Security Discussion mailing list archives

Re: Traffic to UDP Port 80

From: Matthew Gracie <graciem () CANISIUS EDU>
Date: Fri, 26 Oct 2007 10:12:14 -0400

John Kristoff wrote:

On Fri, 26 Oct 2007 08:41:23 -0400
"Babb, Robert" <babbr () UNION EDU> wrote:

I've seen a couple of instances where a MAC is sending huge amounts of traf=
fic to a computer in the netherlands.  Source port always UDP 57xxx and the=
 dest. port is always UDP port 80.  Has anybody else ever seen this?  Anybo=
dy know what could cause it?


A Macintosh or a MAC address?  Not that it matters much, but yes this
sort of thing is not uncommon.  Are these hosts typically unix-based,
running SSH?  It's also not uncommon for an account to have been brute
forced whereupon a simple Perl-based UDP flooder is run from the account.

John


One quick test is to run "who" and "ps" on the machine, and look for a
process named something like "udp.pl". That seems to be a pretty common
flooding utility that the kids are using these days.

--Matt

--
Matt Gracie                         (716) 888-2403
Information Security Administrator  graciem () canisius edu
Canisius College ITS                425531N / 0785109W
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

Current thread:

Traffic to UDP Port 80 Babb, Robert (Oct 26)
- <Possible follow-ups>
- Re: Traffic to UDP Port 80 John Kristoff (Oct 26)
- Re: Traffic to UDP Port 80 Matthew Gracie (Oct 26)
- Re: Traffic to UDP Port 80 Andres Almanza (Oct 26)
- Re: Traffic to UDP Port 80 RLVaughn (Oct 26)
- Re: Traffic to UDP Port 80 Curt Wilson (Oct 26)
- FW: Traffic to UDP Port 80 Babb, Robert (Oct 26)