[Dshield] icmp <-> udp ???

stephane nasdrovisky stephane.nasdrovisky at paradigmo.com
Mon Jan 17 08:06:50 GMT 2005


Moritz Gartenmeister wrote:

> i noticed shortly, that one of my servers do strange things.

It does not look strange for me.

> the server sends every 2 mins an icmp-paket to a host outside my 
> network. the host is answering with a udp packet. has anyone ever seen 
> something like this? WINS? VPN? the ip outside was chaning over the 
> time, but stayed in class c subnet.

The answer is the icmp, not the udp (have a close look at the 
timestamps). netbios-something usually is ms netbios related: either 
somone who tries to browse your files (low probability) or a worm (the 
strange thing is you see these packets coming from a single class c 
network, they usually comes from aeverywhere, it could be an isp acl 
side-effect. Is your isp the owner of 129.132.208.0/24 network?).

> i will reinstall the server asap, but i would like to know what is 
> going on.

It looks like it's not necessary.

> 01-15-05 15:27:42.489275     I      0:50:f:aa:10:39   0:e0:4c:70:5:7a  
> udp 129.132.208.20.137         ->                   
> 172.17.0.7.netbios-ns 9        0         990   0           INT
> 01-15-05 15:27:42.489560            0:e0:4c:70:5:7a   0:50:f:aa:10:39 
> icmp 172.17.0.7             ->               129.132.208.20            
> 9        0         1242         0           URP

As your server is not listening on udp/netbios-ns, it probably answers 
with an icmp port unreachable. It also probably means it's not 
(correctly) firewalled: only udp/68, udp/69, udp/53 and tcp/53 are 
necessary from anywhere(= the networks for which you deserve to provide 
dhcp & dns services) to your server + any administration protocols 
(tcp/22, tcp/23, ...) from your lan or pc to your server.

The 129.132... network is also from switzerland (according to www.ripe.net):

*_inetnum_*:      129.132.0.0 - 129.132.255.255
netname:      ETH-ETHER
descr:        ETH/UNIZH Camp Net
descr:        ETHZ, Swiss Federal Institute of Technology Zurich
descr:        Zurich, Switzerland
country:      CH

Your dns server is also in their network:

nslookup -type=mx uplink-verein.ch
uplink-verein.ch        MX preference = 10, mail exchanger = rou-uplink.uplink-verein.ch

uplink-verein.ch        nameserver = dns3.ethz.ch
uplink-verein.ch        nameserver = dns1.ethz.ch
rou-uplink.uplink-verein.ch     internet address = 195.176.0.50
dns3.ethz.ch    internet address = 129.132.250.2
dns1.ethz.ch    internet address = 129.132.98.12

*_inetnum_*:      195.176.0.48 - 195.176.0.63
netname:      UPLINK
descr:        Uplink student asscociation
descr:        Zurich, Switzerland
country:      CH





More information about the list mailing list