[Dshield] icmp <-> udp ???

Moritz Gartenmeister moritz at uplink-verein.ch
Mon Jan 17 10:51:28 GMT 2005


stephane nasdrovisky wrote:
>> the server sends every 2 mins an icmp-paket to a host outside my 
>> network. the host is answering with a udp packet. has anyone ever seen 
>> something like this? WINS? VPN? the ip outside was chaning over the 
>> time, but stayed in class c subnet.
> 
> The answer is the icmp, not the udp (have a close look at the 
> timestamps). netbios-something usually is ms netbios related: either 
> somone who tries to browse your files (low probability) or a worm (the 
> strange thing is you see these packets coming from a single class c 
> network, they usually comes from aeverywhere, it could be an isp acl 
> side-effect. Is your isp the owner of 129.132.208.0/24 network?).

but it makes no sense to, that a server outside my lan. netbios over a nat router? and why it is 
only trying to connect to this server?

129.132.208.0/24 is not our ISP, it is the carrier.

it makes no sense for me. this server shouldn't try to connect to my server.

regards
moritz



More information about the list mailing list