Security Incidents mailing list archives
Port 33434 and decoy-scanning
From: jrw () SYSTEM SIKKERHET NO (Jan Roger Wilkens)
Date: Wed, 8 Mar 2000 10:58:14 +0100
Lately I have seen traffic towards port 33434 UDP on various networks.
Normal traceroute starts with port 33434, but the destination-port is
supposed to increase with each new packet. The traffic I've seen lately uses
port 33434 as destionation-port for all packets.
Today I also saw something resembling a decoy-scan towards port 33434. The
output from NFR from this scan is below. (If anyone is interessted in more
of this traffic, I can email it.) The timestamp is only valid down to 5 min.
intervals.
This network does not normally receive more than 1-3 normal traceroutes per
24 hours.
Does anyone have any idea of what this is?
This is all UDP-traffic:
----------------------------------------------------------------------------
-----
Time Source S.port Dest IP D.IP Bytes #
2000.03.07-17:00:00 216.33.87.8 2716 xxx.xxx.xxx.37 33434 78
1
216.33.87.8 2717 xxx.xxx.xxx.37 33434 78
1
216.33.87.8 2718 xxx.xxx.xxx.37 33434 78
1
216.33.87.8 2719 xxx.xxx.xxx.37 33434 78
1
216.33.87.8 2720 xxx.xxx.xxx.37 33434 78
1
2000.03.07-17:05:00 167.8.29.91 2815 xxx.xxx.xxx.37 33434 78
1
167.8.29.91 2816 xxx.xxx.xxx.37 33434 78
1
167.8.29.91 2817 xxx.xxx.xxx.37 33434 78
1
167.8.29.91 2818 xxx.xxx.xxx.37 33434 78
1
167.8.29.91 2819 xxx.xxx.xxx.37 33434 78
1
2000.03.07-17:15:00 209.67.29.10 2714 xxx.xxx.xxx.37 33434 78
1
209.67.29.10 2715 xxx.xxx.xxx.37 33434 78
1
209.67.29.10 2716 xxx.xxx.xxx.37 33434 78
1
209.67.29.10 2717 xxx.xxx.xxx.37 33434 78
1
209.67.29.10 2718 xxx.xxx.xxx.37 33434 78
1
209.67.29.10 2719 xxx.xxx.xxx.37 33434 78
1
2000.03.07-17:30:00 209.67.29.8 2814 xxx.xxx.xxx.40 33434 78
1
209.67.29.8 2815 xxx.xxx.xxx.40 33434 78
1
2000.03.07-17:35:00 209.67.29.10 2714 xxx.xxx.xxx.40 33434 156
2
167.8.29.52 2715 xxx.xxx.xxx.40 33434 78
1
209.67.29.10 2715 xxx.xxx.xxx.40 33434 156
2
167.8.29.52 2716 xxx.xxx.xxx.40 33434 78
1
209.67.29.10 2716 xxx.xxx.xxx.40 33434 156
2
216.33.87.8 2716 xxx.xxx.xxx.40 33434 78
1
167.8.29.52 2717 xxx.xxx.xxx.40 33434 78
1
209.67.29.10 2717 xxx.xxx.xxx.40 33434 156
2
216.33.87.8 2717 xxx.xxx.xxx.40 33434 78
1
167.8.29.52 2718 xxx.xxx.xxx.40 33434 78
1
209.67.29.10 2718 xxx.xxx.xxx.40 33434 156
2
216.33.87.8 2718 xxx.xxx.xxx.40 33434 78
1
167.8.29.52 2719 xxx.xxx.xxx.40 33434 78
1
209.67.29.10 2719 xxx.xxx.xxx.40 33434 78
1
216.33.87.8 2719 xxx.xxx.xxx.40 33434 78
1
216.33.87.8 2720 xxx.xxx.xxx.40 33434 78
1
206.251.19.88 2814 xxx.xxx.xxx.37 33434 78
1
206.251.19.89 2814 xxx.xxx.xxx.37 33434 156
2
167.8.29.91 2815 xxx.xxx.xxx.40 33434 78
1
206.251.19.88 2815 xxx.xxx.xxx.37 33434 78
1
206.251.19.89 2815 xxx.xxx.xxx.37 33434 156
2
167.8.29.91 2816 xxx.xxx.xxx.40 33434 78
1
206.251.19.88 2816 xxx.xxx.xxx.37 33434 78
1
206.251.19.89 2816 xxx.xxx.xxx.37 33434 156
2
209.67.29.8 2816 xxx.xxx.xxx.40 33434 78
1
216.33.87.10 2816 xxx.xxx.xxx.40 33434 78
1
167.8.29.91 2817 xxx.xxx.xxx.40 33434 78
1
206.251.19.88 2817 xxx.xxx.xxx.37 33434 78
1
206.251.19.89 2817 xxx.xxx.xxx.37 33434 156
2
209.67.29.8 2817 xxx.xxx.xxx.40 33434 78
1
216.33.87.10 2817 xxx.xxx.xxx.40 33434 78
1
167.8.29.91 2818 xxx.xxx.xxx.40 33434 78
1
206.251.19.88 2818 xxx.xxx.xxx.37 33434 78
1
206.251.19.89 2818 xxx.xxx.xxx.37 33434 156
2
209.67.29.8 2818 xxx.xxx.xxx.40 33434 78
1
216.33.87.10 2818 xxx.xxx.xxx.40 33434 78
1
167.8.29.91 2819 xxx.xxx.xxx.40 33434 78
1
216.33.87.10 2819 xxx.xxx.xxx.40 33434 78
1
216.33.87.10 2820 xxx.xxx.xxx.40 33434 78
1
----------------------------------------------------------------------------
-----
Example of a normal traceroute towards the same network in the same
time-period:
----------------------------------------------------------------------------
-----
Time Source S.port Dest IP D.IP Bytes #
2000.03.07-11:10:00 208.196.3.122 52545 xxx.xxx.xxx.204 33447 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33448 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33449 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33450 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33451 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33452 60
1
2000.03.07-11:15:00 208.196.3.122 52545 xxx.xxx.xxx.204 33453 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33454 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33455 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33456 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33457 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33458 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33459 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33460 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33461 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33462 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33463 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33464 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33465 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33466 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33467 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33468 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33469 60
1
208.196.3.122 52545 xxx.xxx.xxx.204 33470 60
1
----------------------------------------------------------------------------
-----
Jan Roger Wilkens.
Current thread:
- Re: web related oddity Oliver Friedrichs (Feb 29)
- <Possible follow-ups>
- Re: web related oddity Richard Bejtlich (Mar 04)
- Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
- Re: Port 33434 and decoy-scanning Pete Clements (Mar 08)
- Re: Port 33434 and decoy-scanning Ryan Russell (Mar 09)
- Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
- Re: web related oddity Ryan Russell (Mar 08)
- Re: web related oddity Christopher L. Morrow (Mar 08)
- Re: web related oddity Donald McLachlan (Mar 07)
- Re: web related oddity Matthew S. Hallacy (Mar 08)
- Re: web related oddity Bill Pennington (Mar 08)
- ftp scan (was Re: web related oddity) Matthew S. Hallacy (Mar 08)
- Re: web related oddity Matthew S. Hallacy (Mar 08)