[Dshield] UDP/65535 and Tcpdump Help

Ken Schweigert ken at byte-productions.com
Wed Oct 20 15:40:36 GMT 2004


In the past week I've seen a huge surge in UDP 65535 connections.  The source
port is also 65535.  They are coming from CORBINA TELECOM and come at about
three packets every minute.  Here is a log snippet:

Oct 20 09:00:24 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.52:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=22349 F=0x0040 T=55 (#273)
Oct 20 09:00:30 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.4:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=59779 F=0x0040 T=55 (#273)
Oct 20 09:00:37 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.21:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=46062 F=0x0040 T=55 (#273)
Oct 20 09:00:38 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.131:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=62591 F=0x0040 T=55 (#273)
Oct 20 09:01:23 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.33:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=34110 F=0x0040 T=55 (#273)
Oct 20 09:01:32 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.24:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=52 F=0x0040 T=55 (#273)
Oct 20 09:01:39 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.45:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=43311 F=0x0040 T=55 (#273)
Oct 20 09:02:14 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.58:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=58843 F=0x0040 T=55 (#273)
Oct 20 09:02:38 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.59:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=64763 F=0x0040 T=55 (#273)
Oct 20 09:02:58 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.12:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=6490 F=0x0040 T=55 (#273)
Oct 20 09:03:12 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.54:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=53689 F=0x0040 T=55 (#273)
Oct 20 09:03:22 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.45:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=33604 F=0x0040 T=55 (#273)
Oct 20 09:03:28 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.45:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=64266 F=0x0040 T=55 (#273)
Oct 20 09:04:37 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.46:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=41265 F=0x0040 T=55 (#273)
Oct 20 09:05:14 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.46:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=21321 F=0x0040 T=55 (#273)
Oct 20 09:05:37 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.59:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=8424 F=0x0040 T=55 (#273)
Oct 20 09:05:48 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.55:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=4642 F=0x0040 T=55 (#273)
Oct 20 09:06:09 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.58:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=30705 F=0x0040 T=55 (#273)

Wanting to get a better picture of what was happening, I started to do
a tcpdump.  The results are kind of unusal to me because I've never seen
(frag 25411:25 at 512) in a dump before.  I'm still learning tcpdump.


[root at firewall /root]# tcpdump -i eth0 -s 0 -lnpSvvxX src net 83.102.166
tcpdump: listening on eth0
10:13:19.754558 83.102.166.48 > aa.bb.cc.71: (frag 25411:25 at 512) (ttl 55, len 45)
0x0000   4500 002d 6343 0040 3711 d0ca 5366 a630        E..-cC. at 7...Sf.0
0x0010   3f95 1647 11ef 0035 0019 282d 71f7 0100        ?..G...5..(-q...
0x0020   0001 0000 0000 0000 0000 0200 016f             .............o
10:13:20.674641 83.102.166.7 > aa.bb.cc.71: (frag 38795:25 at 512) (ttl 55, len 45)
0x0000   4500 002d 978b 0040 3711 9cab 5366 a607        E..-... at 7...Sf..
0x0010   3f95 1647 11ef 0035 0019 2856 71f7 0100        ?..G...5..(Vq...
0x0020   0001 0000 0000 0000 0000 0200 0106             ..............
10:13:27.211002 83.102.166.33 > aa.bb.cc.71: (frag 9664:25 at 512) (ttl 55, len 45)
0x0000   4500 002d 25c0 0040 3711 0e5d 5366 a621        E..-%.. at 7..]Sf.!
0x0010   3f95 1647 11ef 0035 0019 283c 71f7 0100        ?..G...5..(<q...
0x0020   0001 0000 0000 0000 0000 0200 0148             .............H
10:13:30.892641 83.102.166.21 > aa.bb.cc.71: (frag 2531:25 at 512) (ttl 55, len 45)
0x0000   4500 002d 09e3 0040 3711 2a46 5366 a615        E..-... at 7.*FSf..
0x0010   3f95 1647 11ef 0035 0019 2848 71f7 0100        ?..G...5..(Hq...
0x0020   0001 0000 0000 0000 0000 0200 0103             ..............
10:14:12.944934 83.102.166.21 > aa.bb.cc.71: (frag 62041:25 at 512) (ttl 55, len 45)
0x0000   4500 002d f259 0040 3711 41cf 5366 a615        E..-.Y. at 7.A.Sf..
0x0010   3f95 1647 11ef 0035 0019 2848 71f7 0100        ?..G...5..(Hq...
0x0020   0001 0000 0000 0000 0000 0200 0100             ..............
10:14:34.096260 83.102.166.15 > aa.bb.cc.71: (frag 63401:25 at 512) (ttl 55, len 45)
0x0000   4500 002d f7a9 0040 3711 3c85 5366 a60f        E..-... at 7.<.Sf..
0x0010   3f95 1647 11ef 0035 0019 284e 71f7 0100        ?..G...5..(Nq...
0x0020   0001 0000 0000 0000 0000 0200 0169             .............i
10:14:35.044998 83.102.166.54 > aa.bb.cc.71: (frag 11580:25 at 512) (ttl 55, len 45)
0x0000   4500 002d 2d3c 0040 3711 06cc 5366 a636        E..--<. at 7...Sf.6
0x0010   3f95 1647 11ef 0035 0019 2827 71f7 0100        ?..G...5..('q...
0x0020   0001 0000 0000 0000 0000 0200 0101             ..............
10:14:48.905869 83.102.166.7 > aa.bb.cc.71: (frag 29598:25 at 512) (ttl 55, len 45)
0x0000   4500 002d 739e 0040 3711 c098 5366 a607        E..-s.. at 7...Sf..
0x0010   3f95 1647 11ef 0035 0019 2856 71f7 0100        ?..G...5..(Vq...
0x0020   0001 0000 0000 0000 0000 0200 0100             ..............
10:15:38.517283 83.102.166.22 > aa.bb.cc.71: (frag 13760:25 at 512) (ttl 55, len 45)
0x0000   4500 002d 35c0 0040 3711 fe67 5366 a616        E..-5.. at 7..gSf..
0x0010   3f95 1647 11ef 0035 0019 2847 71f7 0100        ?..G...5..(Gq...
0x0020   0001 0000 0000 0000 0000 0200 0100             ..............

9 packets received by filter
0 packets dropped by kernel
[root at firewall /root]#

I was originally going to send an abuse report Corbina, but I'm starting to
wonder if there's something on my end causing the packets to get fragmented.
I'm still kind of leary about the source and destination ports being 65535,
though.

The role of machine aa.bb.cc.71 is a DNS and a secondary mail server.

Could someone offer an opinion and possibly help me understand the tcpdump
a little better?

Thank you.
-- 
Ken Schweigert, Network Administrator
Byte Productions, LLC
http://www.byte-productions.com



More information about the list mailing list