Security Incidents mailing list archives

Re: Port 33434 and decoy-scanning

From: dsr () MAIL LNS CORNELL EDU (Daniel S. Riley)
Date: Wed, 8 Mar 2000 16:30:44 -0500


Jan Roger Wilkens <jrw () system sikkerhet no> writes:

Lately I have seen traffic towards port 33434 UDP on various networks.
Normal traceroute starts with port 33434, but the destination-port is
supposed to increase with each new packet. The traffic I've seen lately uses
port 33434 as destionation-port for all packets.


We've been seeing similar traffic from a lot of the same hosts:

167.8.29.52   167.8.29.91   167.8.29.92   206.251.19.80 206.251.19.88
206.251.19.89 208.178.110.6 209.67.29.10  209.67.29.8   209.67.29.9
209.67.78.200 209.67.78.202 209.67.78.203 216.32.68.10  216.32.68.11
216.32.68.13  216.33.87.10  216.33.87.8   216.33.87.9

Since all of it is directed towards our forwarding name servers, I've
been assuming it's just another "bigip"[1] like scheme for discovering
the closest server to a host.

[1] http://www.f5.com/

--
Dan Riley                                         dsr () mail lns cornell edu
Wilson Lab, Cornell University      <URL:http://www.lns.cornell.edu/~dsr/>
    "History teaches us that days like this are best spent in bed"

Current thread:

Re: Port 33434 and decoy-scanning Daniel S. Riley (Mar 08)
- <Possible follow-ups>
- Re: Port 33434 and decoy-scanning Parkin, Miles (Mar 08)