Security Incidents mailing list archives
Re: Strange UDP Activity
From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 16 Apr 2002 11:19:28 -0600 (MDT)
On Tue, 16 Apr 2002, LAVELLE,MICHAEL (HP-PaloAlto,ex1) wrote:
I recently started seeing strange UDP traffic to my home DSL, which is included below. It has been active for the last 4 days at all hours. None of these IPs are DNS servers that I use, and much of the activity is when all of my computers are off.
What do you mean when your computers are off? I assume X.X.55.121 is one of yours? That machines that belongs to that IP address is off when this traffic is being logged?
Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.36.148.17(53) -> X.X.55.121(1067), 4 packets Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 202.12.27.33(53) -> X.X.55.121(1067), 4 packets
Those first two (all I checked) are root DNS servers. This makes it look
exactly like you've got a copy of bind running on X.X.55.121, and it's
just trying to resolve names. However, if that machine is supposed to be
off...
Ryan
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange UDP Activity LAVELLE,MICHAEL (HP-PaloAlto,ex1) (Apr 16)
- Re: Strange UDP Activity Ryan Russell (Apr 16)
- <Possible follow-ups>
- RE: Strange UDP Activity Joe Kattner (Apr 16)
- RE: Strange UDP Activity Rajiv Dighe (Apr 16)
- Re: Strange UDP Activity Valdis . Kletnieks (Apr 16)
- RE: Strange UDP Activity LAVELLE,MICHAEL (HP-PaloAlto,ex1) (Apr 16)
- RE: Strange UDP Activity Jose Nazario (Apr 16)
- Re: Strange UDP Activity Eric Brandwine (Apr 16)
- Re: Strange UDP Activity Jose Nazario (Apr 16)
- Re: Strange UDP Activity Eric Brandwine (Apr 16)
- Re: Strange UDP Activity Stephen Friedl (Apr 16)