[Dshield] Port 16 traffic

Rob packethunter at comcast.net
Fri Dec 23 23:41:03 GMT 2005


jmulkerin wrote:
> We're just getting hammered with fragmented traffic to port 16 on a 
> dns/smtp server.  Its always 1 packet.  Normally he/she sends two 
> packets and changes IPs then two more, then changes IP .etc.  Here is a 
> snippet:
>
> [Root]system-critical-00440: Fragmented traffic! From 
> 216.234.234.34:20864 to DNSSERVER:16, proto UDP (zone Untrust, int 
> ethernet1). Occurred 1 times. (2005-12-23 07:18:39)
>
> We have nothing running on port 16 and haven't found any covert channels 
> running on port 16.
>
> Comments?
>
> John Mulkerin
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>
>   
John,

Have you captured any of the packets?  tcpdump or Ethereal would be great.
Typically, if a packet is fragmented, only the first "piece" will have 
port numbers.  All subsequent fragments will retain the same packet ID, 
but only have payload above the IP layer (no TCP or UDP headers).

Rob



More information about the list mailing list