Security Incidents mailing list archives
Re: UDP Traceroutes?
From: "Lampe, John W." <JWLAMPE () GAPAC COM>
Date: Mon, 19 Mar 2001 11:38:04 -0500
Hi Gary, Do you see ttl values=1 in the IP headers to imply that this is a traceroute-like scan? The fact that the dest ports are incrementing looks more like a port scan than a traceroute. John Lampe -----Original Message----- From: Portnoy, Gary [mailto:gportnoy () BELENOSINC COM] Sent: Monday, March 19, 2001 10:43 AM To: INCIDENTS () SECURITYFOCUS COM Subject: UDP Traceroutes? Hello, In the last few days i've noticed a few interesting anomailes which look like they could be a particular breed of traceroute, but I didn't want to just discount them as that. Traceroute's default destination is port UDP 33434 increasing by one with every packet sent. I've been seeing various sources tracerouting to me with destination ports below 111 and always terminating at 111. They usually reach me with dest port somewhere in the 90's and always increase till 111 (UDP). The sources are 128.9.160.210, 141.213.10.128, 192.88.114.82, 193.10.66.138. See below:
Current thread:
- UDP Traceroutes? Portnoy, Gary (Mar 19)
- <Possible follow-ups>
- Re: UDP Traceroutes? Lampe, John W. (Mar 19)
- Re: UDP Traceroutes? Portnoy, Gary (Mar 19)