Security Incidents mailing list archives
Re: Weird scan on port 1214
From: "Nathan W. Labadie" <nate () ucomm wayne edu>
Date: Fri, 29 Jun 2001 11:32:15 -0400
Actually, it probably is kazaa. I watched a kazaa host attempt to connect to a few thousand other addresses, and actually established connections with a couple hundred. As with most p2p applications, it is extremely inefficient and relies on a large number of connections and ample bandwidth. Try watching a gnutella host do 45Mbps of outbound traffic in queries alone ;). Hope this helps, Nate On Thursday 28 June 2001 03:17 pm, you wrote:
Hi. I today installed a log watcher for our router logs - they show all incoming and outgoing connections, complete with source and dest ports, timestamps, packet count, and size - no IP flags or protocol info, though. :( So, the watcher alerts us if any single host tries a large (defined as3000) number of connections within, say, half an hour. Most normal hostsdon't go over about 1,000 connection in this time frame. Seems a decent heuristic for a first check for evildoers, it won't pick up "slow" scans and the like but it's a start. Which leads us to later tonight, when the watcher starts throwing some alerts. Seems like one of our hosts (a win2k machine if we believe nmap) is connecting to lots of other hosts, on port 1214. Approx. 25,000 connections to distinct, random-looking hosts, for that single port number, with a packet count of 3-4 packets each connection. This has been going on over a time frame of 3 hours now, and no signs of slowing down. Wish I could pull this thing off the net myself - unfortunately this will have to wait till morning :( Now, port 1214 is reserved for what is called "Intelligent Communications Protocol" on tcp and KAZAA on udp. I don't know what the first one is, I do know that Kazaa is a file sharing thingy though. The small packet count reminds one of a vulnerability scan. Has there been any vulnerability known re: kazaa (the most probable target)? Thank you all in advance for your time, and sorry for making such a lengthy post. -- Vangelis Haniotakis - Network & Communications Centre, University of Crete --------------------------------------------------------------------- ------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- Nathan W. Labadie | nate () ucomm wayne edu Sr. Security Specialist | 313/577.2126 Wayne State University | 313/577.5626 fax GPG Key: http://ucomm.wayne.edu/~nate/gpg_key.asc ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Weird scan on port 1214 Vangelis Haniotakis (Jun 29)
- Re: Weird scan on port 1214 Nathan W. Labadie (Jun 29)
- Re: Weird scan on port 1214 Greg A. Woods (Jun 30)
- Re: Weird scan on port 1214 Vangelis Haniotakis (Jun 30)
- <Possible follow-ups>
- Re: Weird scan on port 1214 Matt Scarborough (Jun 30)