[Dshield] Activity on UDP/13024 - is that malicious or simplenoise??
bhill at capitaltitlegroup.com
Wed Oct 19 14:51:27 GMT 2005
Hi you may want to submit your logs to dshield if you have not already.
Also, do a search on infocon to see if there is a percentage of traffic
being reported by other people from that same source IP and port.
If you find out there has been a lot of reports or this continues for a
throughout today, then yes I would report it to your ISP.
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of MaXX
Sent: Tuesday, October 18, 2005 8:29 PM
To: list at lists.dshield.org
Subject: [Dshield] Activity on UDP/13024 - is that malicious or
I noticed a an unusual activity on this port today, this is a single
host broadcasting the whole /24 subnet every 5 to 20 second (almost
The source port increases by 1 for each packet.
As my network knowledge is limited to the basis, I want to ask you if I
should simply ignore that or contact my ISP.
The packets are rejected by the firewall.
Thanks in advance,
Here is a packet capture:
No. Time Source Destination Protocol
1 0.000000 62.205.112.xx4 184.108.40.206 UDP
Source port: 3788 Destination port: 13024
Frame 1 (82 bytes on wire, 82 bytes captured)
Arrival Time: Oct 19, 2005 04:15:43.742388000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 82 bytes
Capture Length: 82 bytes
Protocols in frame: eth:ip:udp:data
Ethernet II, Src: BelkinCo_--:--:-- (00:30:bd:--:--:--), Dst: Broadcast
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Source: BelkinCo_--:--:-- (00:30:bd:--:--:--)
Type: IP (0x0800)
Internet Protocol, Src: 62.205.112.xx4 (62.205.112.xx4), Dst:
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 68
Identification: 0xabd6 (43990)
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0x7035
Source: 62.205.112.xx4 (62.205.112.xx4)
Destination: 220.127.116.11 (18.104.22.168)
User Datagram Protocol, Src Port: 3788 (3788), Dst Port: 13024 (13024)
Source port: 3788 (3788)
Destination port: 13024 (13024)
Data (40 bytes)
0000 23 48 29 00 f1 5f 55 43 84 67 be 18 cb cd 28 07 #H).._UC.g....(.
0010 bb 95 d7 c5 bc 66 9f cb 96 08 c7 f4 68 e4 2d f5 .....f......h.-.
0020 3b fb 68 33 76 8a 27 44 ;.h3v.'D
This message was sent via the web forum at
Using .Net? Need to know more about .Net Security?
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
This information may be legally privileged and/or is confidential, and is intended for the use of the addressee named above. Any other use is strictly prohibited. If you have received this communication in error, please immediately notify me and destroy the communication. Any wrongful interception of this transmission is prohibited and punishable under federal law.
More information about the list