Security Incidents mailing list archives
Re: Port 33434 and decoy-scanning
From: dsr () MAIL LNS CORNELL EDU (Daniel S. Riley)
Date: Wed, 8 Mar 2000 16:30:44 -0500
Jan Roger Wilkens <jrw () system sikkerhet no> writes:
Lately I have seen traffic towards port 33434 UDP on various networks. Normal traceroute starts with port 33434, but the destination-port is supposed to increase with each new packet. The traffic I've seen lately uses port 33434 as destionation-port for all packets.
We've been seeing similar traffic from a lot of the same hosts: 167.8.29.52 167.8.29.91 167.8.29.92 206.251.19.80 206.251.19.88 206.251.19.89 208.178.110.6 209.67.29.10 209.67.29.8 209.67.29.9 209.67.78.200 209.67.78.202 209.67.78.203 216.32.68.10 216.32.68.11 216.32.68.13 216.33.87.10 216.33.87.8 216.33.87.9 Since all of it is directed towards our forwarding name servers, I've been assuming it's just another "bigip"[1] like scheme for discovering the closest server to a host. [1] http://www.f5.com/ -- Dan Riley dsr () mail lns cornell edu Wilson Lab, Cornell University <URL:http://www.lns.cornell.edu/~dsr/> "History teaches us that days like this are best spent in bed"
Current thread:
- Re: Port 33434 and decoy-scanning Daniel S. Riley (Mar 08)
- <Possible follow-ups>
- Re: Port 33434 and decoy-scanning Parkin, Miles (Mar 08)