[Dshield] Anybody else see these strobes?

David Cary Hart DavidHart at TQMcube.com
Mon Jan 3 17:11:35 GMT 2005


On Mon, 2005-01-03 at 01:52 -0700, Henry Hertz Hobbit wrote:
> I have noticed a strange set of strobes on my WAN side.  I
> give two excerpts from two days:
> 
That's not a probe. It's routing information to your web client.
> 
> LOG FORMAT:
> ===========
> Log values are:
> Date
>         protocol     src IP:port     dst port     rule
> 
> LOG VALUES:
> ===========
> Dec/21/2004 11:11:52
>         UDP     63.251.178.18:11999     33440   Default
> Dec/21/2004 11:11:52
>         UDP     63.251.178.18:11999     33440   Default
> Dec/21/2004 11:11:57
>         UDP     63.251.178.18:11999     33440   Default
> Dec/21/2004 11:12:02
>         UDP     63.251.178.18:11999     33440   Default
> Dec/21/2004 11:12:07
>         UDP     63.251.178.18:11999     33440   Default
> Dec/21/2004 11:12:07
>         UDP     63.251.178.14:11999     33439   Default
> Dec/21/2004 11:12:12
>         UDP     63.251.178.18:11999     33440   Default
> Dec/21/2004 11:12:12
>         UDP     63.251.178.14:11999     33439   Default
> Dec/21/2004 11:12:17
>         UDP     63.251.178.18:11999     33440   Default
> Dec/21/2004 11:12:17
>         UDP     63.251.178.14:11999     33439   Default
> Dec/21/2004 11:12:22
>         UDP     63.251.178.14:11999     33439   Default
> Dec/21/2004 11:12:26
>         UDP     63.251.178.14:11999     33439   Default
> Dec/21/2004 11:12:31
>         UDP     63.251.178.14:11999     33439   Default
> Dec/21/2004 11:12:35
>         UDP     63.251.178.14:11999     33439   Default
> Dec/21/2004 11:12:40
>         UDP     63.251.178.26:11999     33435   Default
> Dec/21/2004 11:12:42
>         UDP     63.251.178.30:11999     33436   Default
> Dec/21/2004 11:12:43
>         UDP     63.251.178.22:11999     33437   Default
> Dec/21/2004 11:12:44
>         UDP     63.251.178.10:11999     33438   Default
> Dec/21/2004 11:12:49
>         UDP     63.251.178.14:11999     33439   Default
> Dec/21/2004 11:12:50
>         UDP     63.251.178.18:11999     33440   Default
> Dec/21/2004 11:12:52
>         UDP     63.251.178.6:11999      33441   Default
> Dec/21/2004 11:12:53
>         UDP     63.251.178.34:11999     33442   Default
> Dec/21/2004 11:12:54
>         UDP     63.251.178.26:11999     33435   Default
> Dec/21/2004 11:12:56
>         UDP     63.251.178.30:11999     33436   Default
> Dec/21/2004 11:12:57
>         UDP     63.251.178.22:11999     33437   Default
> Dec/21/2004 11:12:58
>         UDP     63.251.178.10:11999     33438   Default
> Dec/21/2004 11:12:59
>         UDP     63.251.178.14:11999     33439   Default
> Dec/21/2004 11:13:00
>         UDP     63.251.178.18:11999     33440   Default
> Dec/21/2004 11:13:02
>         UDP     63.251.178.6:11999      33441   Default
> Dec/21/2004 11:13:03
>         UDP     63.251.178.34:11999     33442   Default
> Dec/21/2004 11:13:04
>         UDP     63.251.178.26:11999     33435   Default
> Dec/21/2004 11:13:05
>         UDP     63.251.178.30:11999     33436   Default
> Dec/21/2004 11:13:07
>         UDP     63.251.178.22:11999     33437   Default
> Dec/21/2004 11:13:08
>         UDP     63.251.178.10:11999     33438   Default
> Dec/21/2004 11:13:09
>         UDP     63.251.178.14:11999     33439   Default
> Dec/21/2004 11:13:10
>         UDP     63.251.178.18:11999     33440   Default
> Dec/21/2004 11:13:12
>         UDP     63.251.178.6:11999      33441   Default
> Dec/21/2004 11:13:13
>         UDP     63.251.178.34:11999     33442   Default
> Dec/21/2004 11:13:14
>         UDP     63.251.178.26:11999     33435   Default
> Dec/21/2004 11:13:15
>         UDP     63.251.178.30:11999     33436   Default
> Dec/21/2004 11:13:17
>         UDP     63.251.178.22:11999     33437   Default
> Dec/21/2004 11:13:18
>         UDP     63.251.178.10:11999     33438   Default
> Dec/21/2004 11:13:19
>         UDP     63.251.178.14:11999     33439   Default
> Dec/21/2004 11:13:20
>         UDP     63.251.178.18:11999     33440   Default
> Dec/21/2004 11:13:22
>         UDP     63.251.178.6:11999      33441   Default
> Dec/21/2004 11:13:23
>         UDP     63.251.178.34:11999     33442   Default
> Dec/21/2004 11:13:24
>         UDP     63.251.178.26:11999     33435   Default
> Dec/21/2004 11:13:25
>         UDP     63.251.178.30:11999     33436   Default
> Dec/21/2004 11:13:27
>         UDP     63.251.178.22:11999     33437   Default
> Dec/21/2004 11:13:28
>         UDP     63.251.178.10:11999     33438   Default
> Dec/21/2004 11:13:29
>         UDP     63.251.178.14:11999     33439   Default
> Dec/21/2004 11:13:30
>         UDP     63.251.178.18:11999     33440   Default
> Dec/21/2004 11:13:31
>         UDP     63.251.178.6:11999      33441   Default
> Dec/21/2004 11:13:33
>         UDP     63.251.178.34:11999     33442   Default
> 
> 
> LOG FORMAT:
> ===========
> Log values are:
> Date
>         protocol     src IP:port     dst port     rule
> 
> LOG VALUES:
> ===========
> Dec/31/2004 12:05:01
>         UDP     216.52.31.18:10276      33438   Default
> Dec/31/2004 12:05:01
>         UDP     216.52.31.18:10276      33438   Default
> Dec/31/2004 12:05:06
>         UDP     216.52.31.18:10276      33438   Default
> Dec/31/2004 12:05:11
>         UDP     216.52.31.18:10276      33438   Default
> Dec/31/2004 12:05:15
>         UDP     216.52.31.18:10276      33438   Default
> Dec/31/2004 12:05:19
>         UDP     216.52.31.18:10276      33438   Default
> Dec/31/2004 12:05:24
>         UDP     216.52.31.18:10276      33438   Default
> 
> 
> For any given set, the source port is always the same and
> either the destination port is also fixed, or like the first
> list here cycles through ports 33435 through 33442.  All
> packets are UDP.  All the Default means is that the default
> rule of denying anything that is not expressly permitted is
> prohibited on the WAN side.  I am using a D-Link 604 NAT /
> router /switch.  Don't diss it, it works!  It stops all of
> the packets that I have expressly denied permission to go
> either way in the rule set.  It's only fault is no provision
> for really automating the logging.  But it wasn't designed
> for doing that in the first place.  Since these ports are
> Unassigned, I have no idea why they are doing this.  It
> looks like there are very few of us getting them though.
> 
> Henry Hertz Hobbit
> (hhh)
> 
> 
> -------------- Sponsor Message ------------------------------------
> SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
> http://www.sans.org/orlando05
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
________________________________________________________________________
Total Quality Management - A Commitment to Excellence
http://www.TQMcube.com




More information about the list mailing list