[Dshield] Activity on UDP/13024 - is that malicious or simple noise??

MaXX forum at dshield.org
Wed Oct 19 03:28:37 GMT 2005



Good morning,

I noticed a an unusual activity on this port today, this is a single host broadcasting the whole /24 subnet every 5 to 20 second (almost random).
The source port increases by 1 for each packet. 


As my network knowledge is limited to the basis, I want to ask you if I should simply ignore that or contact my ISP.

The packets are rejected by the firewall.

Thanks in advance, 
--
MaXX


Here is a packet capture: 
No.     Time        Source                Destination           Protocol Info
      1 0.000000    62.205.112.xx4          62.205.112.255        UDP      Source port: 3788  Destination port: 13024

Frame 1 (82 bytes on wire, 82 bytes captured)
    Arrival Time: Oct 19, 2005 04:15:43.742388000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 82 bytes
    Capture Length: 82 bytes
    Protocols in frame: eth:ip:udp:data
Ethernet II, Src: BelkinCo_--:--:-- (00:30:bd:--:--:--), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Source: BelkinCo_--:--:-- (00:30:bd:--:--:--)
    Type: IP (0x0800)
Internet Protocol, Src: 62.205.112.xx4 (62.205.112.xx4), Dst: 62.205.112.255 (62.205.112.255)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 68
    Identification: 0xabd6 (43990)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0x7035 
    Source: 62.205.112.xx4 (62.205.112.xx4)
    Destination: 62.205.112.255 (62.205.112.255)
User Datagram Protocol, Src Port: 3788 (3788), Dst Port: 13024 (13024)
    Source port: 3788 (3788)
    Destination port: 13024 (13024)
    Length: 48
    Checksum: 0x6fa1 
Data (40 bytes)

0000  23 48 29 00 f1 5f 55 43 84 67 be 18 cb cd 28 07   #H).._UC.g....(.
0010  bb 95 d7 c5 bc 66 9f cb 96 08 c7 f4 68 e4 2d f5   .....f......h.-.
0020  3b fb 68 33 76 8a 27 44                           ;.h3v.'D

This message was sent via the web forum at
http://forum.dshield.org



More information about the list mailing list