Security Incidents mailing list archives

Re: UDP flood on port 2001

From: "KoRe MeLtDoWn" <koremeltdown () hotmail com>
Date: Tue, 10 Sep 2002 21:14:56 +0000

I'm taking a wild guess here, but the only thing I could think it could beis a DOS attack - the data doesnt seem to do anything, or send any usefuldata - many standard distribution DOS and DDOS attack tools just fire "junk"data at the target, perhaps this is what is happening to your client...


Hamish Stanaway

-= KoRe WoRkS =- Internet Security
Owner/Operator
http://www.koreworks.com/

New Zealand

Is your box REALLY secure?

From: Arnold Yancha <alyancha () meridiantelekoms com>
To: incidents () securityfocus com
Subject: UDP flood on port 2001
Date: Tue, 10 Sep 2002 11:05:20 +0800
Hi,

Anyone seen this kind of  UDP traffic ? A client has been complaining that
their bandwidth has been eaten significantly by this type of traffic. I

haven't seen any solid reference to it in google. Maybe somebody on thislist

can shed some light on this. Thanks.

-arnold

  1   0.000000 63.217.26.35 -> xxx.xxx.xxx.235 UDP Source port: 2001
Destination port: 2001

0000  00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00   .........4( ..E.
0010  00 44 45 52 00 00 37 11 8a 18 3f d9 1a 23 xx xx   .DER..7...?..#.W
0020  xx eb 07 d1 07 d1 00 30 93 14 26 00 00 00 73 bd   .......0..&...s.
0030  ff 37 28 00 00 00 9e ad cf f4 05 00 00 00 00 00   .7(.............
0040  00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00   ..t.............
0050  00 00                                             ..

  2   0.003603 63.217.26.35 -> xxx.xxx.xxx.234 UDP Source port: 2001
Destination port: 2001

0000  00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00   .........4( ..E.
0010  00 48 45 da 00 00 37 11 89 8d 3f d9 1a 23 xx xx   .HE...7...?..#.W
0020  xx ea 07 d1 07 d1 00 34 ed b5 26 00 00 00 16 65   .......4..&....e
0030  5e 09 2c 00 00 00 b1 35 dd 85 05 00 00 00 00 00   ^.,....5........
0040  00 00 71 00 00 00 00 00 00 00 04 00 00 00 00 00   ..q.............
0050  00 00 c3 da ba ea                                 ......

  3   0.007376 63.217.26.26 -> xxx.xxx.xxx.235 UDP Source port: 2001
Destination port: 2001

0000  00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00   .........4( ..E.
0010  00 44 ae 8c 00 00 37 11 20 e7 3f d9 1a 1a xx xx   .D....7. .?....W
0020  xx eb 07 d1 07 d1 00 30 13 40 26 00 00 00 bb 78   .......0.@&....x
0030  27 4a 28 00 00 00 4e da 2f d8 05 00 00 00 00 00   'J(...N./.......
0040  00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00   ..t.............
0050  00 00                                             ..

  4   0.010812 63.217.26.26 -> xxx.xxx.xxx.235 UDP Source port: 2001
Destination port: 2001

0000  00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00   .........4( ..E.
0010  00 44 ae bc 00 00 37 11 20 b7 3f d9 1a 1a xx xx   .D....7. .?....W
0020  xx eb 07 d1 07 d1 00 30 67 38 26 00 00 00 9d 46   .......0g8&....F
0030  ea 7d 28 00 00 00 16 30 6f 88 05 00 00 00 00 00   .}(....0o.......
0040  00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00   ..t.............
0050  00 00                                             ..

  5   0.013111 63.217.26.35 -> xxx.xxx.xxx.235 UDP Source port: 2001
Destination port: 2001

0000  00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00   .........4( ..E.
0010  00 48 45 ec 00 00 37 11 89 7a 3f d9 1a 23 xx xx   .HE...7..z?..#.W
0020  xx eb 07 d1 07 d1 00 34 ed b4 26 00 00 00 16 65   .......4..&....e
0030  5e 09 2c 00 00 00 b1 35 dd 85 05 00 00 00 00 00   ^.,....5........
0040  00 00 71 00 00 00 00 00 00 00 04 00 00 00 00 00   ..q.............
0050  00 00 c3 da ba ea                                 ......

  6   0.013115 63.217.26.26 -> xxx.xxx.xxx.234 UDP Source port: 2001
Destination port: 2001

0000  00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00   .........4( ..E.
0010  00 48 b0 24 00 00 37 11 1f 4c 3f d9 1a 1a xx xx   .H.$..7..L?....W
0020  xx ea 07 d1 07 d1 00 34 ed be 26 00 00 00 16 65   .......4..&....e
0030  5e 09 2c 00 00 00 b1 35 dd 85 05 00 00 00 00 00   ^.,....5........
0040  00 00 71 00 00 00 00 00 00 00 04 00 00 00 00 00   ..q.............
0050  00 00 c3 da ba ea                                 ......

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com





Hamish Stanaway

-= KoRe WoRkS =- Internet Security
Owner/Operator
http://www.koreworks.com/

New Zealand

Is your box REALLY secure?


_________________________________________________________________

MSN Photos is the easiest way to share and print your photos:http://photos.msn.com/support/worldwide.aspx



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

UDP flood on port 2001 Arnold Yancha (Sep 10)
- Re: UDP flood on port 2001 Michael Katz (Sep 10)
  - Re: UDP flood on port 2001 Arnold Yancha (Sep 11)
- <Possible follow-ups>
- RE: UDP flood on port 2001 Garbrecht, Frederick (Sep 10)
- Re: UDP flood on port 2001 KoRe MeLtDoWn (Sep 11)