Security Incidents mailing list archives

Re: UDP Traceroutes?

From: "Lampe, John W." <JWLAMPE () GAPAC COM>
Date: Mon, 19 Mar 2001 11:38:04 -0500

Hi Gary,
Do you see ttl values=1 in the IP headers to imply that this is a
traceroute-like scan?  The fact that the dest ports are incrementing looks
more like a port scan than a traceroute.

John Lampe

-----Original Message-----
From: Portnoy, Gary [mailto:gportnoy () BELENOSINC COM]
Sent: Monday, March 19, 2001 10:43 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: UDP Traceroutes?


Hello,

In the last few days i've noticed a few interesting anomailes which look
like they could be a particular breed of traceroute, but I didn't want to
just discount them as that.  Traceroute's default destination is port UDP
33434 increasing by one with every packet sent.  I've been seeing various
sources tracerouting to me with destination ports below 111 and always
terminating at 111.  They usually reach me with dest port somewhere in the
90's and always increase till 111 (UDP).  The sources are 128.9.160.210,
141.213.10.128, 192.88.114.82, 193.10.66.138.  See below:

Current thread:

UDP Traceroutes? Portnoy, Gary (Mar 19)
- <Possible follow-ups>
- Re: UDP Traceroutes? Lampe, John W. (Mar 19)
- Re: UDP Traceroutes? Portnoy, Gary (Mar 19)