[Dshield] Question on UDP Traffic - TTL=0

Holmes, Alan AHolmes at FSC.Follett.com
Fri Jan 7 21:11:11 GMT 2005


I am quite new to this whole security thing and am learning as much as I
can, so please excuse any terminology misuse.

For fun, I threw Snort out on our general network to collect packets.  I am
seeing a TON (several thousand per minute) of the "BadTraffic TTL=0" rules
being triggered.

Source and destination ports are generally 20031:UDP.
Source address is one of several Linux boxes on our internal network.  They
are behind a firewall and no ports for any of them are open to the Internet.

The characteristics of each of the rule trigger captures have the following
in common:

- All of the captures in question are sent to the broadcast address of the
range in which the source machine resides.
- All of the captures in question have the same first 35 bytes (see capture
below).
- All of the captures in question have the hostname of the machine that
matches the source address in it.
- I may be missing something common, but also of interest (and something
that makes the 12-year old sense of humor in me want to chuckle like I'm
back in sex-ed class) is the string "ibooz" in the middle of each of these
captures.

Packets look similar to the following:
----
length = 599

000 : 57 02 00 00 01 CB 22 77 C9 17 00 00 00 69 3B 69   W....."w.....i;i
010 : 3B 69 3B 69 3B 69 3B 69 3B 69 3B 69 3B 69 3B 69   ;i;i;i;i;i;i;i;i
020 : 3B 73 3B 00 00 00 00 00 C0 00 00 00 00 00 00 00   ;s;.............
030 : 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00   ................
040 : 03 00 00 00 03 00 00 00 00 00 00 00 08 00 00 00   ................
050 : 65 62 73 61 70 70 31 00 00 00 00 00 00 00 00 00   ebsapp1.........
060 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
070 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
080 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
090 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0c0 : 97 01 00 00 00 00 00 00 01 8F D0 F0 CA 0B 00 00   ................
0d0 : 00 69 3B 62 3B 6F 3B 6F 3B 7A 3B 00 B5 C1 65 40   .i;b;o;o;z;...e@
0e0 : 00 01 B9 F9 A2 C8 00 00 00 00 02 00 00 00 00 01   ................
0f0 : A5 97 F0 CA 05 00 00 00 6E 33 32 3B 00 20 00 00   ........n32;. ..
100 : 00 10 02 4E 3F AC 10 00 18 00 00 00 00 00 00 00   ...N?...........
110 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
120 : 00 01 A5 97 F0 CA 05 00 00 00 6E 33 32 3B 00 20   ..........n32;. 
130 : 00 00 00 10 02 4E 3F 0A 00 01 18 00 00 00 00 00   .....N?.........
140 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
150 : 00 00 00 B9 F9 A2 C8 02 01 00 00 00 A5 97 F0 CA   ................
160 : 05 00 00 00 6E 33 32 3B 00 20 00 00 00 04 02 4E   ....n32;. .....N
170 : 3F AC 10 00 18 00 00 00 00 00 00 00 00 FF FF FF   ?...............
180 : FF FF FF FF FF 00 00 00 00 00 00 00 00 01 08 00   ................
190 : 00 00 65 62 73 61 70 70 31 00 06 00 00 00 0B 00   ..ebsapp1.......
1a0 : 00 00 05 00 00 00 54 79 70 65 00 01 00 00 00 01   ......Type......
1b0 : 00 00 00 05 00 00 00 75 6E 69 78 00 12 00 00 00   .......unix.....
-----

If anyone has any suggestions or info, I'd greatly appreciate it.
Especially if it's something configuration-wise that I can pass along to the
Unix admins about their stuff.  Maybe this is totally common traffic that
everyone sees, but it's triggering the Snort rule and maybe I just need to
turn off detection on that rule.

Thanks again!

Alan Holmes



More information about the list mailing list