[Dshield] Probes to 27960

Charles Hamby fixer at gci.net
Sun Mar 16 19:31:16 GMT 2003


Hi list,

 

Recently I've been seeing some odd probes to UDP 27960, and I was
wondering if anyone else had seen any or if anyone could comment.
Here's a sample from my logs:

 

Date                 Time                                         Remote
IP                     Resolved FQDN                         RPort
Local IP            LPort

 

2003/03/15        04:07:48.18       I                       67.34.53.45
adsl-34-53-45.mia.bellsouth.net   58571   192.168.0.5            27960

2003/03/15        04:23:04.94       I                       67.34.53.45
adsl-34-53-45.mia.bellsouth.net   51439   192.168.0.5            27960

2003/03/15        04:29:26.31       I                       67.34.53.45
adsl-34-53-45.mia.bellsouth.net   60718   192.168.0.5            27960

2003/03/15        09:51:28.98       I                       67.34.53.45
adsl-34-53-45.mia.bellsouth.net   52132   192.168.0.5            27960

2003/03/15        13:38:49.04       I                       67.34.53.45
adsl-34-53-45.mia.bellsouth.net   63904   192.168.0.5            27960

2003/03/15        16:57:09.93       I
213.118.212.116            d576d474.kabel.telenet.be          5985
192.168.0.5            27960

2003/03/15        17:12:55.58       I
12.250.95.248                12-250-95-248.client.attbi.com    52657
192.168.0.5            27960

2003/03/15        17:21:23.21       I
64.229.208.35
50231   192.168.0.5            27960

2003/03/15        17:44:24.93       I
64.229.208.35
54818   192.168.0.5            27960

2003/03/15        18:44:07.20       I
68.158.221.12
59520   192.168.0.5            27960

2003/03/15        18:58:38.20       I
68.158.221.12
54491   192.168.0.5            27960

2003/03/15        19:24:45.84       I
68.158.221.12
59278   192.168.0.5            27960

2003/03/15        20:29:00.39       I
68.158.221.12
49921   192.168.0.5            27960

 

UDP 27960 is commonly associated with Quake3 Arena Servers, but I don't
play any of the Quake games, nor does anyone on my network.
Additionally, with the typical Q3A traffic, the source port ranges tend
to stay within the 279xx range.  This traffic, on the other hand, is
typically originating around the 50,000-60,000 range (note the one
exception which is at 5985).  

 

My initial suspicion is that these may be Q3A clients attempting to
connect up with a server (I recently obtained this particular static IP
address from my local ISP), but I was wondering if anyone else has seen
this sort of traffic before I write this off.

 

 

Charles Hamby



More information about the list mailing list