[Dshield] UDP/65535 and Tcpdump Help

Darrel Lewis darlewis at cisco.com
Thu Oct 21 17:40:14 GMT 2004


Of course, you have no idea if the 83.102.166.0 really sent those packets...
Do you?  Really?

What if the source of those packets were set to the aol mega proxy addr.
blocks?

-D 

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Justin S
Sent: Wednesday, October 20, 2004 11:27 AM
To: General DShield Discussion List
Subject: Re: [Dshield] UDP/65535 and Tcpdump Help

I also had the exact same traffic from the exact same hosts.  It started
last Thursday sometime.  They are all fragmented udp packets originating
from some hosts in Russia.  In looking at the packets, I did not see
anything in them, nor did I ever get the entire packet, only the exact same
fragments that you are seeing.  The packets were destined for my DNS server.
The only thing I could determine was that it could possibly be a lame
attempt at a DoS attack.  I say lame only because they didn't happen with
enough regularity to cause any real harm.  After about 4 days of receiving
these packets, I added a rule to block the entire 83.102.166.0 network at my
border router.  (If you can't play nice, you can't play on my network.)

I never did find a real answer to these packets, and I'm not certain that my
analysis is correct.  If somebody does have an answer, or if you would like
to look at some of the packets, I still have a bunch of captured packets
that I would be willing to share.

Justin


On Wed, 20 Oct 2004 11:40:36 -0400, Ken Schweigert
<ken at byte-productions.com> wrote:
> In the past week I've seen a huge surge in UDP 65535 connections.  The 
> source port is also 65535.  They are coming from CORBINA TELECOM and 
> come at about three packets every minute.  Here is a log snippet:
> 
> Oct 20 09:00:24 firewall kernel: Packet log: input DENY eth0 PROTO=17 
> 83.102.166.52:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=22349 F=0x0040 
> T=55 (#273) Oct 20 09:00:30 firewall kernel: Packet log: input DENY 
> eth0 PROTO=17 83.102.166.4:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=59779 
> F=0x0040 T=55 (#273) Oct 20 09:00:37 firewall kernel: Packet log: 
> input DENY eth0 PROTO=17 83.102.166.21:65535 aa.bb.cc.71:65535 L=45 
> S=0x00 I=46062 F=0x0040 T=55 (#273) Oct 20 09:00:38 firewall kernel: 
> Packet log: input DENY eth0 PROTO=17 83.102.166.131:65535 
> aa.bb.cc.71:65535 L=45 S=0x00 I=62591 F=0x0040 T=55 (#273) Oct 20 
> 09:01:23 firewall kernel: Packet log: input DENY eth0 PROTO=17 
> 83.102.166.33:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=34110 F=0x0040 
> T=55 (#273) Oct 20 09:01:32 firewall kernel: Packet log: input DENY 
> eth0 PROTO=17 83.102.166.24:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=52 
> F=0x0040 T=55 (#273) Oct 20 09:01:39 firewall kernel: Packet log: 
> input DENY eth0 PROTO=17 83.102.166.45:65535 aa.bb.cc.71:65535 L=45 
> S=0x00 I=43311 F=0x0040 T=55 (#273) Oct 20 09:02:14 firewall kernel: 
> Packet log: input DENY eth0 PROTO=17 83.102.166.58:65535 
> aa.bb.cc.71:65535 L=45 S=0x00 I=58843 F=0x0040 T=55 (#273) Oct 20 
> 09:02:38 firewall kernel: Packet log: input DENY eth0 PROTO=17 
> 83.102.166.59:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=64763 F=0x0040 
> T=55 (#273) Oct 20 09:02:58 firewall kernel: Packet log: input DENY 
> eth0 PROTO=17 83.102.166.12:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=6490 
> F=0x0040 T=55 (#273) Oct 20 09:03:12 firewall kernel: Packet log: 
> input DENY eth0 PROTO=17 83.102.166.54:65535 aa.bb.cc.71:65535 L=45 
> S=0x00 I=53689 F=0x0040 T=55 (#273) Oct 20 09:03:22 firewall kernel: 
> Packet log: input DENY eth0 PROTO=17 83.102.166.45:65535 
> aa.bb.cc.71:65535 L=45 S=0x00 I=33604 F=0x0040 T=55 (#273) Oct 20 
> 09:03:28 firewall kernel: Packet log: input DENY eth0 PROTO=17 
> 83.102.166.45:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=64266 F=0x0040 
> T=55 (#273) Oct 20 09:04:37 firewall kernel: Packet log: input DENY 
> eth0 PROTO=17 83.102.166.46:65535 aa.bb.cc.71:65535 L=45 S=0x00 
> I=41265 F=0x0040 T=55 (#273) Oct 20 09:05:14 firewall kernel: Packet 
> log: input DENY eth0 PROTO=17 83.102.166.46:65535 aa.bb.cc.71:65535 
> L=45 S=0x00 I=21321 F=0x0040 T=55 (#273) Oct 20 09:05:37 firewall 
> kernel: Packet log: input DENY eth0 PROTO=17 83.102.166.59:65535 
> aa.bb.cc.71:65535 L=45 S=0x00 I=8424 F=0x0040 T=55 (#273) Oct 20 
> 09:05:48 firewall kernel: Packet log: input DENY eth0 PROTO=17 
> 83.102.166.55:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=4642 F=0x0040 T=55 
> (#273) Oct 20 09:06:09 firewall kernel: Packet log: input DENY eth0 
> PROTO=17 83.102.166.58:65535 aa.bb.cc.71:65535 L=45 S=0x00 I=30705 
> F=0x0040 T=55 (#273)
> 
> Wanting to get a better picture of what was happening, I started to do 
> a tcpdump.  The results are kind of unusal to me because I've never 
> seen (frag 25411:25 at 512) in a dump before.  I'm still learning tcpdump.
> 
> [root at firewall /root]# tcpdump -i eth0 -s 0 -lnpSvvxX src net 
> 83.102.166
> tcpdump: listening on eth0
> 10:13:19.754558 83.102.166.48 > aa.bb.cc.71: (frag 25411:25 at 512) (ttl 55,
len 45)
> 0x0000   4500 002d 6343 0040 3711 d0ca 5366 a630        E..-cC. at 7...Sf.0
> 0x0010   3f95 1647 11ef 0035 0019 282d 71f7 0100        ?..G...5..(-q...
> 0x0020   0001 0000 0000 0000 0000 0200 016f             .............o
> 10:13:20.674641 83.102.166.7 > aa.bb.cc.71: (frag 38795:25 at 512) (ttl 55,
len 45)
> 0x0000   4500 002d 978b 0040 3711 9cab 5366 a607        E..-... at 7...Sf..
> 0x0010   3f95 1647 11ef 0035 0019 2856 71f7 0100        ?..G...5..(Vq...
> 0x0020   0001 0000 0000 0000 0000 0200 0106             ..............
> 10:13:27.211002 83.102.166.33 > aa.bb.cc.71: (frag 9664:25 at 512) (ttl 55,
len 45)
> 0x0000   4500 002d 25c0 0040 3711 0e5d 5366 a621        E..-%.. at 7..]Sf.!
> 0x0010   3f95 1647 11ef 0035 0019 283c 71f7 0100        ?..G...5..(<q...
> 0x0020   0001 0000 0000 0000 0000 0200 0148             .............H
> 10:13:30.892641 83.102.166.21 > aa.bb.cc.71: (frag 2531:25 at 512) (ttl 55,
len 45)
> 0x0000   4500 002d 09e3 0040 3711 2a46 5366 a615        E..-... at 7.*FSf..
> 0x0010   3f95 1647 11ef 0035 0019 2848 71f7 0100        ?..G...5..(Hq...
> 0x0020   0001 0000 0000 0000 0000 0200 0103             ..............
> 10:14:12.944934 83.102.166.21 > aa.bb.cc.71: (frag 62041:25 at 512) (ttl 55,
len 45)
> 0x0000   4500 002d f259 0040 3711 41cf 5366 a615        E..-.Y. at 7.A.Sf..
> 0x0010   3f95 1647 11ef 0035 0019 2848 71f7 0100        ?..G...5..(Hq...
> 0x0020   0001 0000 0000 0000 0000 0200 0100             ..............
> 10:14:34.096260 83.102.166.15 > aa.bb.cc.71: (frag 63401:25 at 512) (ttl 55,
len 45)
> 0x0000   4500 002d f7a9 0040 3711 3c85 5366 a60f        E..-... at 7.<.Sf..
> 0x0010   3f95 1647 11ef 0035 0019 284e 71f7 0100        ?..G...5..(Nq...
> 0x0020   0001 0000 0000 0000 0000 0200 0169             .............i
> 10:14:35.044998 83.102.166.54 > aa.bb.cc.71: (frag 11580:25 at 512) (ttl 55,
len 45)
> 0x0000   4500 002d 2d3c 0040 3711 06cc 5366 a636        E..--<. at 7...Sf.6
> 0x0010   3f95 1647 11ef 0035 0019 2827 71f7 0100        ?..G...5..('q...
> 0x0020   0001 0000 0000 0000 0000 0200 0101             ..............
> 10:14:48.905869 83.102.166.7 > aa.bb.cc.71: (frag 29598:25 at 512) (ttl 55,
len 45)
> 0x0000   4500 002d 739e 0040 3711 c098 5366 a607        E..-s.. at 7...Sf..
> 0x0010   3f95 1647 11ef 0035 0019 2856 71f7 0100        ?..G...5..(Vq...
> 0x0020   0001 0000 0000 0000 0000 0200 0100             ..............
> 10:15:38.517283 83.102.166.22 > aa.bb.cc.71: (frag 13760:25 at 512) (ttl 55,
len 45)
> 0x0000   4500 002d 35c0 0040 3711 fe67 5366 a616        E..-5.. at 7..gSf..
> 0x0010   3f95 1647 11ef 0035 0019 2847 71f7 0100        ?..G...5..(Gq...
> 0x0020   0001 0000 0000 0000 0000 0200 0100             ..............
> 
> 9 packets received by filter
> 0 packets dropped by kernel
> [root at firewall /root]#
> 
> I was originally going to send an abuse report Corbina, but I'm 
> starting to wonder if there's something on my end causing the packets to
get fragmented.
> I'm still kind of leary about the source and destination ports being 
> 65535, though.
> 
> The role of machine aa.bb.cc.71 is a DNS and a secondary mail server.
> 
> Could someone offer an opinion and possibly help me understand the 
> tcpdump a little better?
> 
> Thank you.
> --
> Ken Schweigert, Network Administrator
> Byte Productions, LLC
> http://www.byte-productions.com
> _______________________________________________
> DShield and the Internet Storm Center are sponsored by the SANS Institute.
> To learn more about current SANS training, see http://www.sans.org .
> 
> _______________________________________________
> send all posts to list at lists.dshield.org To change your subscription 
> options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
>
_______________________________________________
DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list