[Dshield] UDP/65535 and Tcpdump Help

Justin S jgs316 at gmail.com
Wed Oct 20 18:26:47 GMT 2004


I also had the exact same traffic from the exact same hosts.  It
started last Thursday sometime.  They are all fragmented udp packets
originating from some hosts in Russia.  In looking at the packets, I
did not see anything in them, nor did I ever get the entire packet,
only the exact same fragments that you are seeing.  The packets were
destined for my DNS server.  The only thing I could determine was that
it could possibly be a lame attempt at a DoS attack.  I say lame only
because they didn't happen with enough regularity to cause any real
harm.  After about 4 days of receiving these packets, I added a rule
to block the entire 83.102.166.0 network at my border router.  (If you
can't play nice, you can't play on my network.)

I never did find a real answer to these packets, and I'm not certain
that my analysis is correct.  If somebody does have an answer, or if
you would like to look at some of the packets, I still have a bunch of
captured packets that I would be willing to share.

Justin


On Wed, 20 Oct 2004 11:40:36 -0400, Ken Schweigert
<ken at byte-productions.com> wrote:
> In the past week I've seen a huge surge in UDP 65535 connections.  The source
> port is also 65535.  They are coming from CORBINA TELECOM and come at about
> three packets every minute.  Here is a log snippet:
> 
> Oct 20 09:00:24 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.52:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=22349 F=0x0040 T=55 (#273)
> Oct 20 09:00:30 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.4:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=59779 F=0x0040 T=55 (#273)
> Oct 20 09:00:37 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.21:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=46062 F=0x0040 T=55 (#273)
> Oct 20 09:00:38 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.131:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=62591 F=0x0040 T=55 (#273)
> Oct 20 09:01:23 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.33:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=34110 F=0x0040 T=55 (#273)
> Oct 20 09:01:32 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.24:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=52 F=0x0040 T=55 (#273)
> Oct 20 09:01:39 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.45:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=43311 F=0x0040 T=55 (#273)
> Oct 20 09:02:14 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.58:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=58843 F=0x0040 T=55 (#273)
> Oct 20 09:02:38 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.59:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=64763 F=0x0040 T=55 (#273)
> Oct 20 09:02:58 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.12:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=6490 F=0x0040 T=55 (#273)
> Oct 20 09:03:12 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.54:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=53689 F=0x0040 T=55 (#273)
> Oct 20 09:03:22 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.45:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=33604 F=0x0040 T=55 (#273)
> Oct 20 09:03:28 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.45:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=64266 F=0x0040 T=55 (#273)
> Oct 20 09:04:37 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.46:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=41265 F=0x0040 T=55 (#273)
> Oct 20 09:05:14 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.46:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=21321 F=0x0040 T=55 (#273)
> Oct 20 09:05:37 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.59:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=8424 F=0x0040 T=55 (#273)
> Oct 20 09:05:48 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.55:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=4642 F=0x0040 T=55 (#273)
> Oct 20 09:06:09 firewall kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.58:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=30705 F=0x0040 T=55 (#273)
> 
> Wanting to get a better picture of what was happening, I started to do
> a tcpdump.  The results are kind of unusal to me because I've never seen
> (frag 25411:25 at 512) in a dump before.  I'm still learning tcpdump.
> 
> [root at firewall /root]# tcpdump -i eth0 -s 0 -lnpSvvxX src net 83.102.166
> tcpdump: listening on eth0
> 10:13:19.754558 83.102.166.48 > aa.bb.cc.71: (frag 25411:25 at 512) (ttl 55, len 45)
> 0x0000   4500 002d 6343 0040 3711 d0ca 5366 a630        E..-cC. at 7...Sf.0
> 0x0010   3f95 1647 11ef 0035 0019 282d 71f7 0100        ?..G...5..(-q...
> 0x0020   0001 0000 0000 0000 0000 0200 016f             .............o
> 10:13:20.674641 83.102.166.7 > aa.bb.cc.71: (frag 38795:25 at 512) (ttl 55, len 45)
> 0x0000   4500 002d 978b 0040 3711 9cab 5366 a607        E..-... at 7...Sf..
> 0x0010   3f95 1647 11ef 0035 0019 2856 71f7 0100        ?..G...5..(Vq...
> 0x0020   0001 0000 0000 0000 0000 0200 0106             ..............
> 10:13:27.211002 83.102.166.33 > aa.bb.cc.71: (frag 9664:25 at 512) (ttl 55, len 45)
> 0x0000   4500 002d 25c0 0040 3711 0e5d 5366 a621        E..-%.. at 7..]Sf.!
> 0x0010   3f95 1647 11ef 0035 0019 283c 71f7 0100        ?..G...5..(<q...
> 0x0020   0001 0000 0000 0000 0000 0200 0148             .............H
> 10:13:30.892641 83.102.166.21 > aa.bb.cc.71: (frag 2531:25 at 512) (ttl 55, len 45)
> 0x0000   4500 002d 09e3 0040 3711 2a46 5366 a615        E..-... at 7.*FSf..
> 0x0010   3f95 1647 11ef 0035 0019 2848 71f7 0100        ?..G...5..(Hq...
> 0x0020   0001 0000 0000 0000 0000 0200 0103             ..............
> 10:14:12.944934 83.102.166.21 > aa.bb.cc.71: (frag 62041:25 at 512) (ttl 55, len 45)
> 0x0000   4500 002d f259 0040 3711 41cf 5366 a615        E..-.Y. at 7.A.Sf..
> 0x0010   3f95 1647 11ef 0035 0019 2848 71f7 0100        ?..G...5..(Hq...
> 0x0020   0001 0000 0000 0000 0000 0200 0100             ..............
> 10:14:34.096260 83.102.166.15 > aa.bb.cc.71: (frag 63401:25 at 512) (ttl 55, len 45)
> 0x0000   4500 002d f7a9 0040 3711 3c85 5366 a60f        E..-... at 7.<.Sf..
> 0x0010   3f95 1647 11ef 0035 0019 284e 71f7 0100        ?..G...5..(Nq...
> 0x0020   0001 0000 0000 0000 0000 0200 0169             .............i
> 10:14:35.044998 83.102.166.54 > aa.bb.cc.71: (frag 11580:25 at 512) (ttl 55, len 45)
> 0x0000   4500 002d 2d3c 0040 3711 06cc 5366 a636        E..--<. at 7...Sf.6
> 0x0010   3f95 1647 11ef 0035 0019 2827 71f7 0100        ?..G...5..('q...
> 0x0020   0001 0000 0000 0000 0000 0200 0101             ..............
> 10:14:48.905869 83.102.166.7 > aa.bb.cc.71: (frag 29598:25 at 512) (ttl 55, len 45)
> 0x0000   4500 002d 739e 0040 3711 c098 5366 a607        E..-s.. at 7...Sf..
> 0x0010   3f95 1647 11ef 0035 0019 2856 71f7 0100        ?..G...5..(Vq...
> 0x0020   0001 0000 0000 0000 0000 0200 0100             ..............
> 10:15:38.517283 83.102.166.22 > aa.bb.cc.71: (frag 13760:25 at 512) (ttl 55, len 45)
> 0x0000   4500 002d 35c0 0040 3711 fe67 5366 a616        E..-5.. at 7..gSf..
> 0x0010   3f95 1647 11ef 0035 0019 2847 71f7 0100        ?..G...5..(Gq...
> 0x0020   0001 0000 0000 0000 0000 0200 0100             ..............
> 
> 9 packets received by filter
> 0 packets dropped by kernel
> [root at firewall /root]#
> 
> I was originally going to send an abuse report Corbina, but I'm starting to
> wonder if there's something on my end causing the packets to get fragmented.
> I'm still kind of leary about the source and destination ports being 65535,
> though.
> 
> The role of machine aa.bb.cc.71 is a DNS and a secondary mail server.
> 
> Could someone offer an opinion and possibly help me understand the tcpdump
> a little better?
> 
> Thank you.
> --
> Ken Schweigert, Network Administrator
> Byte Productions, LLC
> http://www.byte-productions.com
> _______________________________________________
> DShield and the Internet Storm Center are sponsored by the SANS Institute.
> To learn more about current SANS training, see http://www.sans.org .
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>



More information about the list mailing list