Security Incidents mailing list archives
Re: Wierd UDP packets
From: Blake Frantz <blake () MC NET>
Date: Wed, 14 Feb 2001 13:33:40 -0600
At first glance this appears to be a traceroute, the base UDP port number used by traceroute is 33434. Are the packets comming every 5 seconds? Another heads up. RealMappingTM is "mapping" the Internet and causing funny log entries along the way. Here is a sample log, and the response I got from their admins. <log> Thu Feb 1 06:34:20 2001 195.193.95.50/64363 > x.x.130.1/54451 udp 1 packet Thu Feb 1 06:34:24 2001 195.193.95.50/64363 > x.x.130.1/54452 udp 1 packet Thu Feb 1 06:34:28 2001 195.193.95.50/64363 > x.x.130.1/54453 udp 1 packet Thu Feb 1 06:34:32 2001 195.193.95.50/64363 > x.x.130.1/54454 udp 1 packet Thu Feb 1 06:34:36 2001 195.193.95.50/64363 > x.x.130.1/54455 udp 1 packet Thu Feb 1 06:34:41 2001 195.193.95.50/64363 > x.x.130.1/54456 udp 1 packet Thu Feb 1 09:48:09 2001 195.193.95.50/63587 > x.x.186.1/42906 udp 1 packet Thu Feb 1 09:48:12 2001 195.193.95.50/63587 > x.x.186.1/42907 udp 1 packet Thu Feb 1 09:48:16 2001 195.193.95.50/63587 > x.x.186.1/42908 udp 1 packet Thu Feb 1 09:48:20 2001 195.193.95.50/63587 > x.x.186.1/42909 udp 1 packet Thu Feb 1 09:48:24 2001 195.193.95.50/63587 > x.x.186.1/42910 udp 1 packet Thu Feb 1 09:48:28 2001 195.193.95.50/63587 > x.x.186.1/42911 udp 1 packet Thu Feb 1 09:48:34 2001 195.193.95.50/63587 > x.x.186.1/42945 udp 1 packet Thu Feb 1 09:48:38 2001 195.193.95.50/63587 > x.x.186.1/42946 udp 1 packet Thu Feb 1 09:48:42 2001 195.193.95.50/63587 > x.x.186.1/42947 udp 1 packet Thu Feb 1 09:48:46 2001 195.193.95.50/63587 > x.x.186.1/42948 udp 1 packet Thu Feb 1 09:48:50 2001 195.193.95.50/63587 > x.x.186.1/42949 udp 1 packet Thu Feb 1 09:48:54 2001 195.193.95.50/63587 > x.x.186.1/42950 udp 1 packet Thu Feb 1 09:48:59 2001 195.193.95.50/63587 > x.x.186.1/42984 udp 1 packet Thu Feb 1 09:49:03 2001 195.193.95.50/63587 > x.x.186.1/42985 udp 1 packet Thu Feb 1 09:49:07 2001 195.193.95.50/63587 > x.x.186.1/42986 udp 1 packet Thu Feb 1 09:49:12 2001 195.193.95.50/63587 > x.x.186.1/42987 udp 1 packet Thu Feb 1 09:49:15 2001 195.193.95.50/63587 > x.x.186.1/42988 udp 1 packet Thu Feb 1 09:49:19 2001 195.193.95.50/63587 > x.x.186.1/42989 udp 1 packet Thu Feb 1 09:49:25 2001 195.193.95.50/63587 > x.x.186.1/43023 udp 1 packet Thu Feb 1 09:49:29 2001 195.193.95.50/63587 > x.x.186.1/43024 udp 1 packet Thu Feb 1 09:49:33 2001 195.193.95.50/63587 > x.x.186.1/43025 udp 1 packet Thu Feb 1 09:49:37 2001 195.193.95.50/63587 > x.x.186.1/43026 udp 1 packet Thu Feb 1 09:49:41 2001 195.193.95.50/63587 > x.x.186.1/43027 udp 1 packet Thu Feb 1 09:49:45 2001 195.193.95.50/63587 > x.x.186.1/43028 udp 1 packet Thu Feb 1 09:49:50 2001 195.193.95.50/63587 > x.x.186.1/43062 udp 1 packet Thu Feb 1 09:49:54 2001 195.193.95.50/63587 > x.x.186.1/43063 udp 1 packet Thu Feb 1 09:49:58 2001 195.193.95.50/63587 > x.x.186.1/43064 udp 1 packet Thu Feb 1 09:50:02 2001 195.193.95.50/63587 > x.x.186.1/43065 udp 1 packet Thu Feb 1 09:50:06 2001 195.193.95.50/63587 > x.x.186.1/43066 udp 1 packet Thu Feb 1 09:50:10 2001 195.193.95.50/63587 > x.x.186.1/43067 udp 1 packet Thu Feb 1 09:50:16 2001 195.193.95.50/63587 > x.x.186.1/43101 udp 1 packet Thu Feb 1 09:50:20 2001 195.193.95.50/63587 > x.x.186.1/43102 udp 1 packet Thu Feb 1 09:50:24 2001 195.193.95.50/63587 > x.x.186.1/43103 udp 1 packet Thu Feb 1 09:50:28 2001 195.193.95.50/63587 > x.x.186.1/43104 udp 1 packet Thu Feb 1 09:50:32 2001 195.193.95.50/63587 > x.x.186.1/43105 udp 1 packet Thu Feb 1 09:50:36 2001 195.193.95.50/63587 > x.x.186.1/43106 udp 1 packet Thu Feb 1 09:50:41 2001 195.193.95.50/63587 > x.x.186.1/43140 udp 1 packet Thu Feb 1 09:50:45 2001 195.193.95.50/63587 > x.x.186.1/43141 udp 1 packet Thu Feb 1 09:50:49 2001 195.193.95.50/63587 > x.x.186.1/43142 udp 1 packet Thu Feb 1 09:50:53 2001 195.193.95.50/63587 > x.x.186.1/43143 udp 1 packet Thu Feb 1 09:50:57 2001 195.193.95.50/63587 > x.x.186.1/43144 udp 1 packet Thu Feb 1 09:51:01 2001 195.193.95.50/63587 > x.x.186.1/43145 udp 1 packet Thu Feb 1 09:51:55 2001 195.193.95.50/63587 > x.x.186.1/43218 udp 1 packet Thu Feb 1 09:51:59 2001 195.193.95.50/63587 > x.x.186.1/43219 udp 1 packet Thu Feb 1 09:52:03 2001 195.193.95.50/63587 > x.x.186.1/43220 udp 1 packet Thu Feb 1 09:52:07 2001 195.193.95.50/63587 > x.x.186.1/43221 udp 1 packet Thu Feb 1 09:52:11 2001 195.193.95.50/63587 > x.x.186.1/43222 udp 1 packet Thu Feb 1 09:52:15 2001 195.193.95.50/63587 > x.x.186.1/43223 udp 1 packet </log> <mail snip> Here our reaction on your mail on scanning ports on your network from a machine from our network. First let me apologize for this event; as a former network operator I'm aware of the irritation in these events. Actually what happened is not a port scan, but just one traceroute. For a research project (we are trying to get better knowledge of the Internet topology) we have done numerous traceroutes to different hosts on the Internet (all ending with .1, as you can see in your logfiles). If traceroute is blocked on your firewall, it will try to reach one hop beyond on port +1 at 4 seconds later (4 seconds is not default, it's our parameter; default is 5 seconds). This will continue until 30 hops have been tried. As you can see in your logfiles, this is what happened on your firewall. I must say I was unaware of this behaviour of traceroute. This does look like a port scan, 'cause the port is incremented every time, so I can imagine your state of alarm. We were not looking for anything specific on your network. As you might have noticed in your logfiles, these are the only connections we have tried to your network. I have to admit there's one piece of the logfiles I don't really understand. Traceroute starts at port 33434 (in our man traceroute on Linux Redhat 6) and does only a maximum of 30 hops. The ports accessed on your firewall are slightly higher than this. If I find out why this is, I will let you know; this might help you in the future for determining what's happening on your network. I would like to mention that Tribute, our hosting company, is not related in any way to our company except that they host our machines. Any (eventually suspicious) actions on our machines are solely our responsibility. </mail snip> I hope this saves some leg work. -Blake ================================================================= The Government, like diapers, should be replaced regularly, and often for the same reasons. On Wed, 14 Feb 2001, Devdas Bhagat wrote:
Feb 14 15:49:39 ns1 kernel: Packet log: input DENY eth0 PROTO=17 144.16.64.112:39398 a.b.c.d:33465 L=38 S=0x00 I=39429 F=0x0000 T=1 (#24) (The values of I increase serially, T increases by 1 every third packet) I have got this wierd UDP scan from 144.16.64.112:39398 to UDP ports in the range 33467 to 39398. I have never seen this range in UDP before (TCP, yes, seen this type of scanning). Looks like an automated tool, but I can't figure out why these high ports. Any known trojans/scans in this range? Devdas Bhagat -- Time washes clean Love's wounds unseen. That's what someone told me; But I don't know what it means. -- Linda Ronstadt, "Long Long Time"
Current thread:
- Wierd UDP packets Devdas Bhagat (Feb 14)
- Re: Wierd UDP packets Tapio Sokura (Feb 14)
- Re: Wierd UDP packets Blake Frantz (Feb 14)