[Dshield] Activity on UDP/13024 - is that malicious or simplenoise??

Bryan Hill bhill at capitaltitlegroup.com
Wed Oct 19 14:51:27 GMT 2005

Hi you may want to submit your logs to dshield if you have not already.
Also, do a search on infocon to see if there is a percentage of traffic
being reported by other people from that same source IP and port. 

If you find out there has been a lot of reports or this continues for a
throughout today, then yes I would report it to your ISP.

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of MaXX
Sent: Tuesday, October 18, 2005 8:29 PM
To: list at lists.dshield.org
Subject: [Dshield] Activity on UDP/13024 - is that malicious or

Good morning,

I noticed a an unusual activity on this port today, this is a single
host broadcasting the whole /24 subnet every 5 to 20 second (almost
The source port increases by 1 for each packet. 

As my network knowledge is limited to the basis, I want to ask you if I
should simply ignore that or contact my ISP.

The packets are rejected by the firewall.

Thanks in advance, 

Here is a packet capture: 
No.     Time        Source                Destination           Protocol
      1 0.000000    62.205.112.xx4        UDP
Source port: 3788  Destination port: 13024

Frame 1 (82 bytes on wire, 82 bytes captured)
    Arrival Time: Oct 19, 2005 04:15:43.742388000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 82 bytes
    Capture Length: 82 bytes
    Protocols in frame: eth:ip:udp:data
Ethernet II, Src: BelkinCo_--:--:-- (00:30:bd:--:--:--), Dst: Broadcast
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Source: BelkinCo_--:--:-- (00:30:bd:--:--:--)
    Type: IP (0x0800)
Internet Protocol, Src: 62.205.112.xx4 (62.205.112.xx4), Dst: (
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 68
    Identification: 0xabd6 (43990)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0x7035 
    Source: 62.205.112.xx4 (62.205.112.xx4)
    Destination: (
User Datagram Protocol, Src Port: 3788 (3788), Dst Port: 13024 (13024)
    Source port: 3788 (3788)
    Destination port: 13024 (13024)
    Length: 48
    Checksum: 0x6fa1 
Data (40 bytes)

0000  23 48 29 00 f1 5f 55 43 84 67 be 18 cb cd 28 07   #H).._UC.g....(.
0010  bb 95 d7 c5 bc 66 9f cb 96 08 c7 f4 68 e4 2d f5   .....f......h.-.
0020  3b fb 68 33 76 8a 27 44                           ;.h3v.'D

This message was sent via the web forum at

Using .Net? Need to know more about .Net Security?

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
This information may be legally privileged and/or is confidential, and is intended for the use of the addressee named above.  Any other use is strictly prohibited.  If you have received this communication in error, please immediately notify me and destroy the communication.  Any wrongful interception of this transmission is  prohibited and punishable under federal law.

More information about the list mailing list