Questionable UDP traffic received by firewall

[Earl Hood <earl () earlhood com>]

(The focus-linux moderater stated this message may be better routed
to the incidents list, so here it goes.)

Original message date: Tue, 24 Jun 2003 10:51:38 -0500

For the past few days I have been receiving the following type of
packets:

Packet DROPPED: IN=eth1 OUT= \
  SRC=64.224.0.140 DST=###.###.###.### LEN=38 TOS=0x00 PREC=0x00 TTL=1 \
  ID=60544 PROTO=UDP SPT=44078 DPT=33444 LEN=18
Packet DROPPED: IN=eth1 OUT= \
  SRC=64.224.0.141 DST=###.###.###.### LEN=38 TOS=0x00 PREC=0x00 TTL=1 \
  ID=60553 PROTO=UDP SPT=46113 DPT=33445 LEN=18 
Packet DROPPED: IN=eth1 OUT= \
  SRC=64.224.0.140 DST=###.###.###.### LEN=38 TOS=0x00 PREC=0x00 TTL=2 \
  ID=60728 PROTO=UDP SPT=44078 DPT=33445 LEN=18 
Packet DROPPED: IN=eth1 OUT= \
  SRC=64.224.0.141 DST=###.###.###.### LEN=38 TOS=0x00 PREC=0x00 TTL=2 \
  ID=60747 PROTO=UDP SPT=46113 DPT=33446 LEN=18 
Packet DROPPED: IN=eth1 OUT= \
  SRC=64.224.0.140 DST=###.###.###.### LEN=38 TOS=0x00 PREC=0x00 TTL=3 \
  ID=60855 PROTO=UDP SPT=44078 DPT=33446 LEN=18 
Packet DROPPED: IN=eth1 OUT= \
  SRC=64.224.0.141 DST=###.###.###.### LEN=38 TOS=0x00 PREC=0x00 TTL=3 \
  ID=60867 PROTO=UDP SPT=46113 DPT=33447 LEN=18

In the past 24 hours, source IPs have been:

  64.224.0.140
  64.224.0.141
  129.42.6.240
  129.42.6.241


The 129 addresses are controled by IBM and the 64 addresses by
Interland.  All IP addresses are pingable, and the 64's are running
an HTTP server.  When doing a GET on the 64 addresses, the default
data returned in a 1x1 GIF image (possible image servers?)

Doing a little searching with Google, it appears that this could be
traceroute traffic, but I do not know why these sites would want to
traceroute my system, so I am wondering if there is anything else
going on and if it is worth contacting the aformentioned companies.

Another possibility, just thinking off the top of my head, is that
the sites are trying to detect performance/latency tests from client
systems that connect to a web site.  What gives me this idea is that
yesterday, I checked out the Wimbledon site, which IBM maintains.
Maybe they are doing some form of statistical analysis on the bandwidth
capabilities of clients that connect to it.

As for Interland, I do not know, but it highly possible they are
providing hosting services for some site that I have visited in the
past few days.  ARIN shows that they own a variety if IP address
ranges.

Who knows if the probes from each system have the same purpose.

Note, my system is connected via cable modem and I do not run any
public services on it (against ISP service agreement).

--ewh
-- 
Earl Hood, <earl () earlhood com>
Web: <http://www.earlhood.com/>
PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt>

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------