Security Incidents mailing list archives
Re: Port 33434 and decoy-scanning
From: MJParkin () COLT-TELECOM COM (Parkin, Miles)
Date: Thu, 9 Mar 2000 07:31:53 -0000
Hi, The traffic that you are seeing is being generated by "eaic.com" who stream audio to requesting users. There explanation of this traffic is:
Your observations are new to us! We have never seen anyone pretend to diagnose these behaviours and apply a program name to the processes with
such
commercialism. Unfortunately, we utilize Global Load-balancers and
fail-over
functions that do QOS probing to route requests to the right locations. Someone within your network has requested sound samples from an online
music
retailer that is our client. We represent 99% of all the music retailers
on
the net including Amazon.com, CDNOW, Borders, Barnes & Noble, Tower
Records,
and all the others. Unfortunately, this behaviour may seem new to you, but Cisco's Local Director, F5 Networks 3DNS, RadWare, ExTreme, and many
others
have commercially distributed products that simply take periodic RTT,
Packet
Loss, Hops, and other measurements to route traffic quickly and
efficiently
over the Internet, IMPROVING the Internet as a whole with these technologies! I am considered an advocate in these technologies and can answer more questions if you wish. We would be fine with blocking out all
of
your domains and so forth, but your end-users made requests for listening
to
streaming media, and we are simply ensuring they get the best performance possible. Your Firewalk diagnosis is 98% wrong. But we appreciate your complaint as we are not intending to cause any problems around the net,
NO!
Quite the opposite. And, you are MORE than welcome to give me a call (206-699-4105) to discuss this further if you would like. There are
actually
two items that can provide this image or perception, and one being the
Real
Audio Server as well. Have a great day, and thanks for your input. Unfortunately, these technologies are NOT new, and it will take network engineers and administrators awhile to catch on to the fact that you too will be using such devices soon, in order to provide performance-based routing and 100% guaranteed uptime as we do.
I initially saw the traffic as using the "FireWalk" tool which uses port 33434 UDP by default, but this is not the case here. I can supply contact information for eaic if you require. Regards, Miles. -----Original Message----- From: Jan Roger Wilkens [mailto:jrw () SYSTEM SIKKERHET NO] Sent: 08 March 2000 09:58 To: INCIDENTS () SECURITYFOCUS COM Subject: Port 33434 and decoy-scanning Lately I have seen traffic towards port 33434 UDP on various networks. Normal traceroute starts with port 33434, but the destination-port is supposed to increase with each new packet. The traffic I've seen lately uses port 33434 as destionation-port for all packets. Today I also saw something resembling a decoy-scan towards port 33434. The output from NFR from this scan is below. (If anyone is interessted in more of this traffic, I can email it.) The timestamp is only valid down to 5 min. intervals. This network does not normally receive more than 1-3 normal traceroutes per 24 hours. Does anyone have any idea of what this is? This is all UDP-traffic: ---------------------------------------------------------------------------- ----- Time Source S.port Dest IP D.IP Bytes # 2000.03.07-17:00:00 216.33.87.8 2716 xxx.xxx.xxx.37 33434 78 1 216.33.87.8 2717 xxx.xxx.xxx.37 33434 78 1 216.33.87.8 2718 xxx.xxx.xxx.37 33434 78 1 216.33.87.8 2719 xxx.xxx.xxx.37 33434 78 1 216.33.87.8 2720 xxx.xxx.xxx.37 33434 78 1 2000.03.07-17:05:00 167.8.29.91 2815 xxx.xxx.xxx.37 33434 78 1 167.8.29.91 2816 xxx.xxx.xxx.37 33434 78 1 167.8.29.91 2817 xxx.xxx.xxx.37 33434 78 1 167.8.29.91 2818 xxx.xxx.xxx.37 33434 78 1 167.8.29.91 2819 xxx.xxx.xxx.37 33434 78 1 2000.03.07-17:15:00 209.67.29.10 2714 xxx.xxx.xxx.37 33434 78 1 209.67.29.10 2715 xxx.xxx.xxx.37 33434 78 1 209.67.29.10 2716 xxx.xxx.xxx.37 33434 78 1 209.67.29.10 2717 xxx.xxx.xxx.37 33434 78 1 209.67.29.10 2718 xxx.xxx.xxx.37 33434 78 1 209.67.29.10 2719 xxx.xxx.xxx.37 33434 78 1 2000.03.07-17:30:00 209.67.29.8 2814 xxx.xxx.xxx.40 33434 78 1 209.67.29.8 2815 xxx.xxx.xxx.40 33434 78 1 2000.03.07-17:35:00 209.67.29.10 2714 xxx.xxx.xxx.40 33434 156 2 167.8.29.52 2715 xxx.xxx.xxx.40 33434 78 1 209.67.29.10 2715 xxx.xxx.xxx.40 33434 156 2 167.8.29.52 2716 xxx.xxx.xxx.40 33434 78 1 209.67.29.10 2716 xxx.xxx.xxx.40 33434 156 2 216.33.87.8 2716 xxx.xxx.xxx.40 33434 78 1 167.8.29.52 2717 xxx.xxx.xxx.40 33434 78 1 209.67.29.10 2717 xxx.xxx.xxx.40 33434 156 2 216.33.87.8 2717 xxx.xxx.xxx.40 33434 78 1 167.8.29.52 2718 xxx.xxx.xxx.40 33434 78 1 209.67.29.10 2718 xxx.xxx.xxx.40 33434 156 2 216.33.87.8 2718 xxx.xxx.xxx.40 33434 78 1 167.8.29.52 2719 xxx.xxx.xxx.40 33434 78 1 209.67.29.10 2719 xxx.xxx.xxx.40 33434 78 1 216.33.87.8 2719 xxx.xxx.xxx.40 33434 78 1 216.33.87.8 2720 xxx.xxx.xxx.40 33434 78 1 206.251.19.88 2814 xxx.xxx.xxx.37 33434 78 1 206.251.19.89 2814 xxx.xxx.xxx.37 33434 156 2 167.8.29.91 2815 xxx.xxx.xxx.40 33434 78 1 206.251.19.88 2815 xxx.xxx.xxx.37 33434 78 1 206.251.19.89 2815 xxx.xxx.xxx.37 33434 156 2 167.8.29.91 2816 xxx.xxx.xxx.40 33434 78 1 206.251.19.88 2816 xxx.xxx.xxx.37 33434 78 1 206.251.19.89 2816 xxx.xxx.xxx.37 33434 156 2 209.67.29.8 2816 xxx.xxx.xxx.40 33434 78 1 216.33.87.10 2816 xxx.xxx.xxx.40 33434 78 1 167.8.29.91 2817 xxx.xxx.xxx.40 33434 78 1 206.251.19.88 2817 xxx.xxx.xxx.37 33434 78 1 206.251.19.89 2817 xxx.xxx.xxx.37 33434 156 2 209.67.29.8 2817 xxx.xxx.xxx.40 33434 78 1 216.33.87.10 2817 xxx.xxx.xxx.40 33434 78 1 167.8.29.91 2818 xxx.xxx.xxx.40 33434 78 1 206.251.19.88 2818 xxx.xxx.xxx.37 33434 78 1 206.251.19.89 2818 xxx.xxx.xxx.37 33434 156 2 209.67.29.8 2818 xxx.xxx.xxx.40 33434 78 1 216.33.87.10 2818 xxx.xxx.xxx.40 33434 78 1 167.8.29.91 2819 xxx.xxx.xxx.40 33434 78 1 216.33.87.10 2819 xxx.xxx.xxx.40 33434 78 1 216.33.87.10 2820 xxx.xxx.xxx.40 33434 78 1 ---------------------------------------------------------------------------- ----- Example of a normal traceroute towards the same network in the same time-period: ---------------------------------------------------------------------------- ----- Time Source S.port Dest IP D.IP Bytes # 2000.03.07-11:10:00 208.196.3.122 52545 xxx.xxx.xxx.204 33447 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33448 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33449 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33450 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33451 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33452 60 1 2000.03.07-11:15:00 208.196.3.122 52545 xxx.xxx.xxx.204 33453 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33454 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33455 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33456 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33457 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33458 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33459 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33460 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33461 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33462 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33463 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33464 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33465 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33466 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33467 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33468 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33469 60 1 208.196.3.122 52545 xxx.xxx.xxx.204 33470 60 1 ---------------------------------------------------------------------------- ----- Jan Roger Wilkens.
Current thread:
- Re: Port 33434 and decoy-scanning Daniel S. Riley (Mar 08)
- <Possible follow-ups>
- Re: Port 33434 and decoy-scanning Parkin, Miles (Mar 08)