Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Wierd UDP packets

From: Blake Frantz <blake () MC NET>
Date: Wed, 14 Feb 2001 13:33:40 -0600
At first glance this appears to be a traceroute, the base UDP port number
used by traceroute is 33434.  Are the packets comming every 5 seconds?

Another heads up.

RealMappingTM is "mapping" the Internet and causing funny log entries
along the way.  Here is a sample log, and the response I got from their
admins.

<log>
Thu Feb 1 06:34:20 2001 195.193.95.50/64363 > x.x.130.1/54451 udp 1 packet
Thu Feb 1 06:34:24 2001 195.193.95.50/64363 > x.x.130.1/54452 udp 1 packet
Thu Feb 1 06:34:28 2001 195.193.95.50/64363 > x.x.130.1/54453 udp 1 packet
Thu Feb 1 06:34:32 2001 195.193.95.50/64363 > x.x.130.1/54454 udp 1 packet
Thu Feb 1 06:34:36 2001 195.193.95.50/64363 > x.x.130.1/54455 udp 1 packet
Thu Feb 1 06:34:41 2001 195.193.95.50/64363 > x.x.130.1/54456 udp 1 packet
Thu Feb 1 09:48:09 2001 195.193.95.50/63587 > x.x.186.1/42906 udp 1 packet
Thu Feb 1 09:48:12 2001 195.193.95.50/63587 > x.x.186.1/42907 udp 1 packet
Thu Feb 1 09:48:16 2001 195.193.95.50/63587 > x.x.186.1/42908 udp 1 packet
Thu Feb 1 09:48:20 2001 195.193.95.50/63587 > x.x.186.1/42909 udp 1 packet
Thu Feb 1 09:48:24 2001 195.193.95.50/63587 > x.x.186.1/42910 udp 1 packet
Thu Feb 1 09:48:28 2001 195.193.95.50/63587 > x.x.186.1/42911 udp 1 packet
Thu Feb 1 09:48:34 2001 195.193.95.50/63587 > x.x.186.1/42945 udp 1 packet
Thu Feb 1 09:48:38 2001 195.193.95.50/63587 > x.x.186.1/42946 udp 1 packet
Thu Feb 1 09:48:42 2001 195.193.95.50/63587 > x.x.186.1/42947 udp 1 packet
Thu Feb 1 09:48:46 2001 195.193.95.50/63587 > x.x.186.1/42948 udp 1 packet
Thu Feb 1 09:48:50 2001 195.193.95.50/63587 > x.x.186.1/42949 udp 1 packet
Thu Feb 1 09:48:54 2001 195.193.95.50/63587 > x.x.186.1/42950 udp 1 packet
Thu Feb 1 09:48:59 2001 195.193.95.50/63587 > x.x.186.1/42984 udp 1 packet
Thu Feb 1 09:49:03 2001 195.193.95.50/63587 > x.x.186.1/42985 udp 1 packet
Thu Feb 1 09:49:07 2001 195.193.95.50/63587 > x.x.186.1/42986 udp 1 packet
Thu Feb 1 09:49:12 2001 195.193.95.50/63587 > x.x.186.1/42987 udp 1 packet
Thu Feb 1 09:49:15 2001 195.193.95.50/63587 > x.x.186.1/42988 udp 1 packet
Thu Feb 1 09:49:19 2001 195.193.95.50/63587 > x.x.186.1/42989 udp 1 packet
Thu Feb 1 09:49:25 2001 195.193.95.50/63587 > x.x.186.1/43023 udp 1 packet
Thu Feb 1 09:49:29 2001 195.193.95.50/63587 > x.x.186.1/43024 udp 1 packet
Thu Feb 1 09:49:33 2001 195.193.95.50/63587 > x.x.186.1/43025 udp 1 packet
Thu Feb 1 09:49:37 2001 195.193.95.50/63587 > x.x.186.1/43026 udp 1 packet
Thu Feb 1 09:49:41 2001 195.193.95.50/63587 > x.x.186.1/43027 udp 1 packet
Thu Feb 1 09:49:45 2001 195.193.95.50/63587 > x.x.186.1/43028 udp 1 packet
Thu Feb 1 09:49:50 2001 195.193.95.50/63587 > x.x.186.1/43062 udp 1 packet
Thu Feb 1 09:49:54 2001 195.193.95.50/63587 > x.x.186.1/43063 udp 1 packet
Thu Feb 1 09:49:58 2001 195.193.95.50/63587 > x.x.186.1/43064 udp 1 packet
Thu Feb 1 09:50:02 2001 195.193.95.50/63587 > x.x.186.1/43065 udp 1 packet
Thu Feb 1 09:50:06 2001 195.193.95.50/63587 > x.x.186.1/43066 udp 1 packet
Thu Feb 1 09:50:10 2001 195.193.95.50/63587 > x.x.186.1/43067 udp 1 packet
Thu Feb 1 09:50:16 2001 195.193.95.50/63587 > x.x.186.1/43101 udp 1 packet
Thu Feb 1 09:50:20 2001 195.193.95.50/63587 > x.x.186.1/43102 udp 1 packet
Thu Feb 1 09:50:24 2001 195.193.95.50/63587 > x.x.186.1/43103 udp 1 packet
Thu Feb 1 09:50:28 2001 195.193.95.50/63587 > x.x.186.1/43104 udp 1 packet
Thu Feb 1 09:50:32 2001 195.193.95.50/63587 > x.x.186.1/43105 udp 1 packet
Thu Feb 1 09:50:36 2001 195.193.95.50/63587 > x.x.186.1/43106 udp 1 packet
Thu Feb 1 09:50:41 2001 195.193.95.50/63587 > x.x.186.1/43140 udp 1 packet
Thu Feb 1 09:50:45 2001 195.193.95.50/63587 > x.x.186.1/43141 udp 1 packet
Thu Feb 1 09:50:49 2001 195.193.95.50/63587 > x.x.186.1/43142 udp 1 packet
Thu Feb 1 09:50:53 2001 195.193.95.50/63587 > x.x.186.1/43143 udp 1 packet
Thu Feb 1 09:50:57 2001 195.193.95.50/63587 > x.x.186.1/43144 udp 1 packet
Thu Feb 1 09:51:01 2001 195.193.95.50/63587 > x.x.186.1/43145 udp 1 packet
Thu Feb 1 09:51:55 2001 195.193.95.50/63587 > x.x.186.1/43218 udp 1 packet
Thu Feb 1 09:51:59 2001 195.193.95.50/63587 > x.x.186.1/43219 udp 1 packet
Thu Feb 1 09:52:03 2001 195.193.95.50/63587 > x.x.186.1/43220 udp 1 packet
Thu Feb 1 09:52:07 2001 195.193.95.50/63587 > x.x.186.1/43221 udp 1 packet
Thu Feb 1 09:52:11 2001 195.193.95.50/63587 > x.x.186.1/43222 udp 1 packet
Thu Feb 1 09:52:15 2001 195.193.95.50/63587 > x.x.186.1/43223 udp 1 packet
</log>

<mail snip>
Here our reaction on your mail on scanning ports on your network from a
machine from our network.

First let me apologize for this event; as a former network operator I'm
aware of the irritation in these events.

Actually what happened is not a port scan, but just one traceroute. For a
research project (we are trying to get better knowledge of the Internet
topology) we have done numerous traceroutes to different hosts on the
Internet (all ending with .1, as you can see in your logfiles). If
traceroute is blocked on your firewall, it will try to reach one hop
beyond on port +1 at 4 seconds later (4 seconds is not default, it's our
parameter; default is 5 seconds). This will continue until 30 hops have
been tried.

As you can see in your logfiles, this is what happened on your firewall. I
must say I was unaware of this behaviour of traceroute. This does look
like a port scan, 'cause the port is incremented every time, so I can
imagine your state of alarm.

We were not looking for anything specific on your network. As you might
have noticed in your logfiles, these are the only connections we have
tried to your network.

I have to admit there's one piece of the logfiles I don't really
understand. Traceroute starts at port 33434 (in our man traceroute on Linux Redhat
6) and does only a maximum of 30 hops. The ports accessed on your firewall
are slightly  higher than this. If I find out why this is, I will let you
know; this might help you in the future for determining what's happening on
your network.

I would like to mention that Tribute, our hosting company, is not related
in any way to our company except that they host our machines. Any
(eventually suspicious) actions on our machines are solely our
responsibility.
</mail snip>

I hope this saves some leg work.

-Blake

=================================================================
The Government, like diapers, should be replaced regularly, and
often for the same reasons.

On Wed, 14 Feb 2001, Devdas Bhagat wrote:


Feb 14 15:49:39 ns1 kernel: Packet log: input DENY eth0 PROTO=17
144.16.64.112:39398 a.b.c.d:33465 L=38 S=0x00 I=39429 F=0x0000
T=1 (#24)
(The values of I increase serially, T increases by 1 every third packet)

I have got this wierd UDP scan from 144.16.64.112:39398 to UDP ports in
the range 33467 to 39398.
I have never seen this range in UDP before (TCP, yes, seen this type of
scanning). Looks like an automated tool, but I can't figure out why
these high ports. Any known trojans/scans in this range?

Devdas Bhagat
--
Time washes clean
Love's wounds unseen.
That's what someone told me;
But I don't know what it means.
              -- Linda Ronstadt, "Long Long Time"
Previous By Date Next
Previous By Thread Next

Current thread: