[Dshield] Activity on UDP/13024 - is that malicious orsimplenoise??

Bryan Hill bhill at capitaltitlegroup.com
Wed Oct 19 15:12:18 GMT 2005


Sorry for the grammar guys, I just woke up... :)

I meant to say, if you find out there has been an excessive amount of
reports after you have done your research, or if you continue to receive
this traffic throughout the day on your Firewall, then it would be a
good idea to report it to your ISP... 

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Bryan Hill
Sent: Wednesday, October 19, 2005 7:51 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Activity on UDP/13024 - is that malicious
orsimplenoise??

Hi you may want to submit your logs to dshield if you have not already.
Also, do a search on infocon to see if there is a percentage of traffic
being reported by other people from that same source IP and port. 

If you find out there has been a lot of reports or this continues for a
throughout today, then yes I would report it to your ISP.

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of MaXX
Sent: Tuesday, October 18, 2005 8:29 PM
To: list at lists.dshield.org
Subject: [Dshield] Activity on UDP/13024 - is that malicious or
simplenoise??



Good morning,

I noticed a an unusual activity on this port today, this is a single
host broadcasting the whole /24 subnet every 5 to 20 second (almost
random).
The source port increases by 1 for each packet. 


As my network knowledge is limited to the basis, I want to ask you if I
should simply ignore that or contact my ISP.

The packets are rejected by the firewall.

Thanks in advance, 
--
MaXX


Here is a packet capture: 
No.     Time        Source                Destination           Protocol
Info
      1 0.000000    62.205.112.xx4          62.205.112.255        UDP
Source port: 3788  Destination port: 13024

Frame 1 (82 bytes on wire, 82 bytes captured)
    Arrival Time: Oct 19, 2005 04:15:43.742388000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 82 bytes
    Capture Length: 82 bytes
    Protocols in frame: eth:ip:udp:data
Ethernet II, Src: BelkinCo_--:--:-- (00:30:bd:--:--:--), Dst: Broadcast
(ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Source: BelkinCo_--:--:-- (00:30:bd:--:--:--)
    Type: IP (0x0800)
Internet Protocol, Src: 62.205.112.xx4 (62.205.112.xx4), Dst:
62.205.112.255 (62.205.112.255)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 68
    Identification: 0xabd6 (43990)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0x7035 
    Source: 62.205.112.xx4 (62.205.112.xx4)
    Destination: 62.205.112.255 (62.205.112.255)
User Datagram Protocol, Src Port: 3788 (3788), Dst Port: 13024 (13024)
    Source port: 3788 (3788)
    Destination port: 13024 (13024)
    Length: 48
    Checksum: 0x6fa1 
Data (40 bytes)

0000  23 48 29 00 f1 5f 55 43 84 67 be 18 cb cd 28 07   #H).._UC.g....(.
0010  bb 95 d7 c5 bc 66 9f cb 96 08 c7 f4 68 e4 2d f5   .....f......h.-.
0020  3b fb 68 33 76 8a 27 44                           ;.h3v.'D

This message was sent via the web forum at
http://forum.dshield.org

_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
 
This information may be legally privileged and/or is confidential, and
is intended for the use of the addressee named above.  Any other use is
strictly prohibited.  If you have received this communication in error,
please immediately notify me and destroy the communication.  Any
wrongful interception of this transmission is  prohibited and punishable
under federal law.

_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
 
This information may be legally privileged and/or is confidential, and is intended for the use of the addressee named above.  Any other use is strictly prohibited.  If you have received this communication in error, please immediately notify me and destroy the communication.  Any wrongful interception of this transmission is  prohibited and punishable under federal law.



More information about the list mailing list