Re: UDP Traceroutes?

["Portnoy, Gary" <gportnoy () BELENOSINC COM>]

Yes, sorry, forgot to mention that.  TTL=1.  Could this be similar to
firewalk?  But why look for UDP ports between 90 and 111.  Any vulnerable
services there?

[**] IDS03 - MISC-Traceroute UDP [**]
03/17-17:39:15.881480 128.9.160.210:3675 -> a.b.c.4:96
UDP TTL:1 TOS:0x0 ID:33310 IpLen:20 DgmLen:38
Len: 18
11 11 BC DF B3 3A F2 33 0E 00                    .....:.3..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] IDS03 - MISC-Traceroute UDP [**]
03/17-09:14:42.621177 192.88.114.82:48617 -> z.b.c.4:89
UDP TTL:1 TOS:0x0 ID:48627 IpLen:20 DgmLen:40
Len: 20
0A 0A 00 00 53 71 B3 3A 33 E3 0C 00              ....Sq.:3...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

> -----Original Message-----
> From: Lampe, John W. [mailto:JWLAMPE () GAPAC com]
> Sent: Monday, March 19, 2001 11:38 AM
> To: Portnoy, Gary
> Cc: 'INCIDENTS () SECURITYFOCUS COM'
> Subject: RE: UDP Traceroutes?
>
>
> Hi Gary,
> Do you see ttl values=1 in the IP headers to imply that this is a
> traceroute-like scan?  The fact that the dest ports are
> incrementing looks
> more like a port scan than a traceroute.
>
> John Lampe
>
> -----Original Message-----
> From: Portnoy, Gary [mailto:gportnoy () BELENOSINC COM]
> Sent: Monday, March 19, 2001 10:43 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: UDP Traceroutes?
>
>
> Hello,
>
> In the last few days i've noticed a few interesting anomailes
> which look
> like they could be a particular breed of traceroute, but I
> didn't want to
> just discount them as that.  Traceroute's default destination
> is port UDP
> 33434 increasing by one with every packet sent.  I've been
> seeing various
> sources tracerouting to me with destination ports below 111 and always
> terminating at 111.  They usually reach me with dest port
> somewhere in the
> 90's and always increase till 111 (UDP).  The sources are
> 128.9.160.210,
> 141.213.10.128, 192.88.114.82, 193.10.66.138.  See below: