[Dshield] Enquiry about strange network usage by user

Michael Thompson mike at thompsonmike.co.uk
Fri Oct 7 20:34:28 GMT 2005


I have banned a user from using all P2P software, and put in place a block on 
the firewall to prevent it being used.

I am watching the network sniffer logs, and I see loads of this:

158.053449 192.168.1.28 -> 141.84.69.81 UDP Source port: 3056  Destination 
port: 1050
158.103187 192.168.1.28 -> 141.84.69.81 UDP Source port: 3056  Destination 
port: 1050
158.113353 192.168.1.28 -> 141.84.69.81 UDP Source port: 3056  Destination 
port: 1050
158.160275 192.168.1.28 -> 141.84.69.81 UDP Source port: 3056  Destination 
port: 1050
158.179096 192.168.1.28 -> 141.84.69.81 UDP Source port: 3056  Destination 
port: 1050
158.224196 192.168.1.28 -> 141.84.69.81 UDP Source port: 3056  Destination 
port: 1050
158.233660 192.168.1.28 -> 141.84.69.81 UDP Source port: 3056  Destination 
port: 1050

For about 5 minuites, then loads of handshakes and transfers from Bittorrent. 
What are these mass UDP connections?? Any one know? Part of the P2P crap?

Any help appreciated...

-- 
Mike

To see the world in a grain of sand,
and to see heaven in a wild flower,
hold infinity in the palm of your hands,
and eternity in an hour.

GnuGPG KeyID:=FC0D8D9A
http://www.thompsonmike.co.uk

I don't need to outrun the bear, just the guy next to me...


More information about the list mailing list