[Dshield] Strange UDP traffic
Richard Golodner
rgolodner at infratection.com
Thu Mar 20 19:48:37 GMT 2008
John, any idea what it is that you are dealing with? It looks to me like a
counter of some kind, but I am no expert. I did find this and hope it helps:
BandCon - California
151 Kalmus Drive
Suite M-2
Costa Mesa, California 92626
PH: 949.468.0630
FX: 714.641.1670
BandCon - Arizona
1525 N. Granite Reef Road
Suite 7
Scottsdale, Arizona 85257
PH: 888.253.8353
BandCon - New York
419 Lafayette
3rd Floor
New York, New York 10003
PH: 888.253.8353
most sincerely, Richard
-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Jon R. Kibler
Sent: Thursday, March 20, 2008 9:37 AM
To: list at lists.dshield.org
Subject: [Dshield] Strange UDP traffic
All,
Just implemented new firewall rules at a customer site and immediately
started
to block strange UDP traffic. It is originating from a few different windows
boxes. Each of the systems is sending the exact identical traffic to a few
target
IPs. There is one packet every 30 seconds per system. Below is a sample.
Destination port appears to always be the same.
Anyone have a clue what this traffic is all about? It is only coming from
only
a couple of systems out of about 200.
TIA for help!
Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
(843) 849-8214
Frame 17 (64 bytes on wire, 64 bytes captured)
Arrival Time: Mar 20, 2008 14:13:59.698973000
[Time delta from previous captured frame: 30.209030000 seconds]
[Time delta from previous displayed frame: 30.209030000 seconds]
[Time since reference or first frame: 483.397740000 seconds]
Frame Number: 17
Frame Length: 64 bytes
Capture Length: 64 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:data]
Ethernet II, Src: Intel_88:c8:41 (00:19:d1:88:c8:41), Dst: Cisco_88:8a:f0
(00:17:5a:88:8a:f0)
Destination: Cisco_88:8a:f0 (00:17:5a:88:8a:f0)
Address: Cisco_88:8a:f0 (00:17:5a:88:8a:f0)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Intel_88:c8:41 (00:19:d1:88:c8:41)
Address: Intel_88:c8:41 (00:19:d1:88:c8:41)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.8.100.97 (10.8.100.97), Dst: 209.234.245.12
(209.234.245.12)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 50
Identification: 0x30c8 (12488)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0xd492 [correct]
[Good: True]
[Bad : False]
Source: 10.8.100.97 (10.8.100.97)
Destination: 209.234.245.12 (209.234.245.12)
User Datagram Protocol, Src Port: voispeed-port (3541), Dst Port: 25121
(25121)
Source port: voispeed-port (3541)
Destination port: 25121 (25121)
Length: 30
Checksum: 0xc176 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Data (22 bytes)
0000 01 02 00 16 dc f2 21 f5 01 00 00 00 08 02 bf 60 ......!........`
0010 0a 08 64 61 62 18 ..dab.
Data: 01020016DCF221F5010000000802BF600A0864616218
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
More information about the list
mailing list