Security Incidents mailing list archives

UDP traffic to net and broadcast addresses

From: Zen <zen () kill-9 it>
Date: Wed, 2 Apr 2003 12:12:14 +0200

Hi,
        debugging on a customer router I trampled over some unusual
        traffic pattern: it is composed by
        udp packets,
        always from the same ip address 
        random source port
        directed to the network and broadcast addresses of a network
        random destination port

        time-spaced around 2 seconds.

        This is an example from the logs

Apr  2 10:41:03 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(14673) -> bcast-addr(146), 1 packet
Apr  2 10:41:05 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(41383) -> bcast-addr(558), 1 packet
Apr  2 10:41:08 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(17499) -> bcast-addr(328), 1 packet
Apr  2 10:41:10 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(1124) -> bcast-addr(940), 1 packet
Apr  2 10:41:11 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(32969) -> bcast-addr(549), 1 packet
Apr  2 10:41:14 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(19998) -> net-addr(112), 1 packet
Apr  2 10:41:15 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(24405) -> net-addr(251), 1 packet
Apr  2 10:41:17 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(6827) -> bcast-addr(497), 1 packet

        they are around 8900 starting 3am (log rotate date -- didn't
        check before, still).

        It is highly probable this is a tempted information gathering
        act -- but why using network and broadcast addresses? Most
        modern tcp/ip stacks wouldn't answer (well, some ciscos actually
        do, depending on config..)

        Any ideas?

bye,
-- 
My home isn't cluttered; it's "passage restrictive."
zen () kill-9 it . Geek . And proud of it .
http://www.kill-9.it/jargon/html/entry/zen.html

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents

Current thread:

UDP traffic to net and broadcast addresses Zen (Apr 02)
- <Possible follow-ups>
- RE: UDP traffic to net and broadcast addresses Joshua Wright (Apr 03)