[Intrusions] UDP traffic on port 48864

Andrew Daviel andrew at andrew.triumf.ca
Tue Jun 21 01:19:43 GMT 2005 

On Tue, 14 Jun 2005, James C Slora Jr wrote:

> Andrew Daviel wrote Monday, June 13, 2005 6:42 PM
>
> >  I've been seeing UDP traffic sent to a host here on port 48864; it seems
> to all (or mostly) targetted at one particular host, which does not seem to
> respond (apart from maybe ICMP unreachable). It's from random places on the
> net (including residential, like P2P), but the packets are quite small
> (15-500 bytes) and don't seem to have any ASCII content.
>
> Packets would be nice.

17:00:07.923609 195.205.132.226.24432 > 142.x.y.z.48864:  udp 123
17:00:07.924007 142.x.y.z.48864 > 195.205.132.226.24432:  udp 21
17:00:09.276406 201.24.74.50.4674 > 142.x.y.z.48864: tcp 0 (DF)
17:00:09.276557 142.x.y.z.48864 > 201.24.74.50.4674: tcp 0 (DF)
17:00:12.225555 142.x.y.z.48864 > 201.24.74.50.4674: tcp 0 (DF)
17:00:16.692418 69.166.222.155.65351 > 142.x.y.z.48864: tcp 0 (DF)
17:00:16.692571 142.x.y.z.48864 > 69.166.222.155.65351: tcp 0 (DF)
17:00:16.808173 69.166.222.155.65351 > 142.x.y.z.48864: tcp 0 (DF)
17:00:18.362210 142.x.y.z.48864 > 201.24.74.50.4674: tcp 0 (DF)
17:00:40.624674 128.195.4.205.2087 > 142.x.y.z.48864:  udp 102
17:00:40.625105 142.x.y.z.48864 > 128.195.4.205.2087:  udp 43
17:00:44.110763 65.94.161.239.25409 > 142.x.y.z.48864:  udp 97
17:00:44.111089 142.x.y.z.48864 > 65.94.161.239.25409:  udp 43
17:00:44.541082 128.195.4.205.2087 > 142.x.y.z.48864:  udp 102
17:00:44.541422 142.x.y.z.48864 > 128.195.4.205.2087:  udp 43
17:00:56.322058 154.20.232.86.16800 > 142.x.y.z.48864:  udp 103

User Datagram Protocol, Src Port: 24432 (24432), Dst Port: 48864 (48864)
Data (123 bytes)

0000  40 b8 02 82 8f e2 0c 77 b9 71 df 3a 5b 45 f5 23   @......w.q.:[E.#
0010  e0 f8 6a 3b 7e 46 68 95 08 52 94 fc f5 42 5b 67   ..j;~Fh..R...B[g
0020  ae ca 1a 7f d9 c6 50 1f ab f1 4c 23 0e 01 67 03   ......P...L#..g.
0030  63 b1 51 50 fc 08 76 d8 3e 6d 35 22 13 3f 54 3e   c.QP..v.>m5".?T>
0040  56 23 ef 06 e0 a2 a3 68 49 e5 47 d9 7f 77 90 dd   V#.....hI.G..w..
0050  66 a6 ca 6e 40 86 e5 0b 8e 4c 11 58 fa 70 4f 93   f..n at ....L.X.pO.
0060  49 7f 5d 73 d9 18 61 8c 3a ee ed 5d 4f c0 79 0e   I.]s..a.:..]O.y.
0070  9c ec b4 f1 0c df 94 8f 22 e7 78                  ........".x

User Datagram Protocol, Src Port: 48864 (48864), Dst Port: 24432 (24432)
Data (21 bytes)

0000  00 16 02 c6 7e ea 95 50 77 c1 5f 42 8f e9 b6 ea   ....~..Pw._B....
0010  9a 52 e4 fd 02                                    .R...

User Datagram Protocol, Src Port: 2087 (2087), Dst Port: 48864 (48864)
Data (102 bytes)

0000  9d 8a 02 98 21 b8 a6 00 59 d3 8d 9a a5 8b 95 c5   ....!...Y.......
0010  09 54 c9 79 2c 7e ea f0 13 7f 2c 89 71 80 74 fd   .T.y,~....,.q.t.
0020  3d d4 67 aa 93 08 30 b9 a8 a3 87 da 16 73 9d 34   =.g...0......s.4
0030  01 05 c6 9a 73 76 99 c5 71 d7 c3 f1 d6 96 7f 7e   ....sv..q......~
0040  48 a0 ba de f9 c4 22 65 f8 be 32 63 31 9f 97 df   H....."e..2c1...
0050  d9 25 24 df 30 fa 67 e0 ad 54 9a 49 b9 4b af 53   .%$.0.g..T.I.K.S
0060  1d 35 ee 5c 2a 24                                 .5.\*$

etc.

There are also occasional tcp packets - remote sends SYN, local sends
SYN, ACK, remote either doesn't respond or sends RST. No data.

I don't see that our local machine is a worthy recipient of a DDoS attack
- it's basically a Windows desktop


-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
security at triumf.ca

More information about the Intrusions mailing list