Security Incidents mailing list archives

Re: Weird scan on port 1214

From: "Nathan W. Labadie" <nate () ucomm wayne edu>
Date: Fri, 29 Jun 2001 11:32:15 -0400

Actually, it probably is kazaa. I watched a kazaa host attempt to 
connect to a few thousand other addresses, and actually established 
connections with a couple hundred. As with most p2p applications, it is 
extremely inefficient and relies on a large number of connections and 
ample bandwidth. Try watching a gnutella host do 45Mbps of outbound 
traffic in queries alone ;).

Hope this helps,
Nate 

On Thursday 28 June 2001 03:17 pm, you wrote:

 Hi.

 I today installed a log watcher for our router logs - they show all
incoming and outgoing connections, complete with source and dest
ports, timestamps, packet count, and size - no IP flags or protocol
info, though. :(

 So, the watcher alerts us if any single host tries a large (defined
as

3000) number of connections within, say, half an hour. Most normal
hosts


don't go over about 1,000 connection in this time frame. Seems a
decent heuristic for a first check for evildoers, it won't pick up
"slow" scans and the like but it's a start.

 Which leads us to later tonight, when the watcher starts throwing
some alerts. Seems like one of our hosts (a win2k machine if we
believe nmap) is connecting to lots of other hosts, on port 1214.
Approx. 25,000 connections to distinct, random-looking hosts, for
that single port number, with a packet count of 3-4 packets each
connection.

 This has been going on over a time frame of 3 hours  now, and no
signs of slowing down. Wish I could pull this thing off the net
myself - unfortunately this will have to wait till morning :(

 Now, port 1214 is reserved for what is called  "Intelligent
Communications Protocol" on tcp and KAZAA on udp. I don't know what
the first one is, I do know that Kazaa is a file sharing thingy
though.

 The small packet count reminds one of a vulnerability scan. Has
there been any vulnerability known re: kazaa (the most probable
target)?


 Thank you all in advance for your time, and sorry for making such a
lengthy post.



--
Vangelis Haniotakis - Network & Communications Centre, University of
Crete



---------------------------------------------------------------------
-------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com


-- 
Nathan W. Labadie       | nate () ucomm wayne edu       
Sr. Security Specialist | 313/577.2126
Wayne State University  | 313/577.5626 fax
GPG Key: http://ucomm.wayne.edu/~nate/gpg_key.asc


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

Weird scan on port 1214 Vangelis Haniotakis (Jun 29)
- Re: Weird scan on port 1214 Nathan W. Labadie (Jun 29)
- Re: Weird scan on port 1214 Greg A. Woods (Jun 30)
  - Re: Weird scan on port 1214 Vangelis Haniotakis (Jun 30)
- <Possible follow-ups>
- Re: Weird scan on port 1214 Matt Scarborough (Jun 30)