[Dshield] UDP 21626 Traffic

Johannes B. Ullrich jullrich at sans.org
Sun Feb 5 01:47:21 GMT 2006


jayjwa wrote:

>What do you make of these? Don't they look interesting? This started one day- 
>lots of traffic to this one port: UDP 21626. That's a high UDP port, kind of 
>uncommon. There hasn't been any activity since these packets were recorded.
>Below are a few of the more interesting looking frames. I did some checking 
>around, but no info was to be found regarding this particular port.
>  
>

based on the packet content (nice capture btw...), this is Bittorrent
P2P traffic.




>
>Frame 1 (171 bytes on wire, 171 bytes captured)
>     Arrival Time: Jan 26, 2006 19:55:43.961168000
>     Time delta from previous packet: 0.000000000 seconds
>     Time since reference or first frame: 0.000000000 seconds
>     Frame Number: 1
>     Packet Length: 171 bytes
>     Capture Length: 171 bytes
>     Protocols in frame: sll:ip:udp:data
>Linux cooked capture
>     Packet type: Unicast to us (0)
>     Link-layer address type: 512
>     Link-layer address length: 0
>     Source: <MISSING>
>     Protocol: IP (0x0800)
>Internet Protocol, Src: 222.8.101.15 (222.8.101.15), Dst: 64.179.12.75 (64.179.12.75)
>     Version: 4
>     Header length: 20 bytes
>     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>         0000 00.. = Differentiated Services Codepoint: Default (0x00)
>         .... ..0. = ECN-Capable Transport (ECT): 0
>         .... ...0 = ECN-CE: 0
>     Total Length: 155
>     Identification: 0xd1d4 (53716)
>     Flags: 0x00
>         0... = Reserved bit: Not set
>         .0.. = Don't fragment: Not set
>         ..0. = More fragments: Not set
>     Fragment offset: 0
>     Time to live: 108
>     Protocol: UDP (0x11)
>     Header checksum: 0xec67 [correct]
>         Good: True
>         Bad : False
>     Source: 222.8.101.15 (222.8.101.15)
>     Destination: 64.179.12.75 (64.179.12.75)
>User Datagram Protocol, Src Port: 9869 (9869), Dst Port: 21626 (21626)
>     Source port: 9869 (9869)
>     Destination port: 21626 (21626)
>     Length: 135
>     Checksum: 0xa4a3 [correct]
>Data (127 bytes)
>
>0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
>0010  45 00 00 9b d1 d4 00 00 6c 11 ec 67 de 08 65 0f   E.......l..g..e.
>0020  40 b3 0c 4b 26 8d 54 7a 00 87 a4 a3 64 31 3a 61   @..K&.Tz....d1:a
>0030  64 32 3a 69 64 32 30 3a 07 3a 9a 4b 69 0b 89 44   d2:id20:.:.Ki..D
>0040  78 bc 42 f9 ea f6 c8 67 44 88 f1 26 39 3a 69 6e   x.B....gD..&9:in
>0050  66 6f 5f 68 61 73 68 32 30 3a 89 04 d3 de cf 4e   fo_hash20:.....N
>0060  89 9a 0a ae 52 8e 8b c9 38 80 89 9c 28 ce 34 3a   ....R...8...(.4:
>0070  70 6f 72 74 69 39 38 36 39 65 35 3a 74 6f 6b 65   porti9869e5:toke
>0080  6e 30 3a 65 31 3a 71 31 33 3a 61 6e 6e 6f 75 6e   n0:e1:q13:announ
>0090  63 65 5f 70 65 65 72 31 3a 74 38 3a 7f f7 3d e8   ce_peer1:t8:..=.
>00a0  1c ce 5c 9d 31 3a 79 31 3a 71 65                  ..\.1:y1:qe
>
>Frame 2 (142 bytes on wire, 142 bytes captured)
>     Arrival Time: Jan 26, 2006 20:01:10.821553000
>     Time delta from previous packet: 326.860385000 seconds
>     Time since reference or first frame: 326.860385000 seconds
>     Frame Number: 2
>     Packet Length: 142 bytes
>     Capture Length: 142 bytes
>     Protocols in frame: sll:ip:udp:data
>Linux cooked capture
>     Packet type: Unicast to us (0)
>     Link-layer address type: 512
>     Link-layer address length: 0
>     Source: <MISSING>
>     Protocol: IP (0x0800)
>Internet Protocol, Src: 218.191.113.59 (218.191.113.59), Dst: 64.179.12.75 (64.179.12.75)
>     Version: 4
>     Header length: 20 bytes
>     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>         0000 00.. = Differentiated Services Codepoint: Default (0x00)
>         .... ..0. = ECN-Capable Transport (ECT): 0
>         .... ...0 = ECN-CE: 0
>     Total Length: 126
>     Identification: 0x700e (28686)
>     Flags: 0x00
>         0... = Reserved bit: Not set
>         .0.. = Don't fragment: Not set
>         ..0. = More fragments: Not set
>     Fragment offset: 0
>     Time to live: 108
>     Protocol: UDP (0x11)
>     Header checksum: 0x4568 [correct]
>         Good: True
>         Bad : False
>     Source: 218.191.113.59 (218.191.113.59)
>     Destination: 64.179.12.75 (64.179.12.75)
>User Datagram Protocol, Src Port: 16909 (16909), Dst Port: 21626 (21626)
>     Source port: 16909 (16909)
>     Destination port: 21626 (21626)
>     Length: 106
>     Checksum: 0x4c39 [correct]
>Data (98 bytes)
>
>0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
>0010  45 00 00 7e 70 0e 00 00 6c 11 45 68 da bf 71 3b   E..~p...l.Eh..q;
>0020  40 b3 0c 4b 42 0d 54 7a 00 6a 4c 39 64 31 3a 61   @..KB.Tz.jL9d1:a
>0030  64 32 3a 69 64 32 30 3a 46 bb 80 b8 73 b1 97 72   d2:id20:F...s..r
>0040  ed 2b a2 9a 8e 1c fb e5 bd 1c a0 d3 36 3a 74 61   .+..........6:ta
>0050  72 67 65 74 32 30 3a 46 bb 80 b8 73 b1 97 72 ed   rget20:F...s..r.
>0060  2b a2 9a 8e 1c fb e5 bd 1c a0 d4 65 31 3a 71 39   +..........e1:q9
>0070  3a 66 69 6e 64 5f 6e 6f 64 65 31 3a 74 38 3a 1f   :find_node1:t8:.
>0080  73 03 8d 7e 8b 42 60 31 3a 79 31 3a 71 65         s..~.B`1:y1:qe
>
>Frame 3 (142 bytes on wire, 142 bytes captured)
>     Arrival Time: Jan 26, 2006 20:01:40.107353000
>     Time delta from previous packet: 29.285800000 seconds
>     Time since reference or first frame: 356.146185000 seconds
>     Frame Number: 3
>     Packet Length: 142 bytes
>     Capture Length: 142 bytes
>     Protocols in frame: sll:ip:udp:data
>Linux cooked capture
>     Packet type: Unicast to us (0)
>     Link-layer address type: 512
>     Link-layer address length: 0
>     Source: <MISSING>
>     Protocol: IP (0x0800)
>Internet Protocol, Src: 61.93.90.248 (61.93.90.248), Dst: 64.179.12.75 (64.179.12.75)
>     Version: 4
>     Header length: 20 bytes
>     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>         0000 00.. = Differentiated Services Codepoint: Default (0x00)
>         .... ..0. = ECN-Capable Transport (ECT): 0
>         .... ...0 = ECN-CE: 0
>     Total Length: 126
>     Identification: 0xd936 (55606)
>     Flags: 0x00
>         0... = Reserved bit: Not set
>         .0.. = Don't fragment: Not set
>         ..0. = More fragments: Not set
>     Fragment offset: 0
>     Time to live: 108
>     Protocol: UDP (0x11)
>     Header checksum: 0x8fe5 [correct]
>         Good: True
>         Bad : False
>     Source: 61.93.90.248 (61.93.90.248)
>     Destination: 64.179.12.75 (64.179.12.75)
>User Datagram Protocol, Src Port: 26890 (26890), Dst Port: 21626 (21626)
>     Source port: 26890 (26890)
>     Destination port: 21626 (21626)
>     Length: 106
>     Checksum: 0xfe3e [correct]
>Data (98 bytes)
>
>0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
>0010  45 00 00 7e d9 36 00 00 6c 11 8f e5 3d 5d 5a f8   E..~.6..l...=]Z.
>0020  40 b3 0c 4b 69 0a 54 7a 00 6a fe 3e 64 31 3a 61   @..Ki.Tz.j.>d1:a
>0030  64 32 3a 69 64 32 30 3a 77 1b de 5b f1 64 91 c7   d2:id20:w..[.d..
>0040  63 38 0f d9 55 fa 64 46 ee 08 89 68 36 3a 74 61   c8..U.dF...h6:ta
>0050  72 67 65 74 32 30 3a 88 e4 21 a4 0e 9b 6e 38 9c   rget20:..!...n8.
>0060  c7 f0 26 aa 05 9b b9 11 f7 76 96 65 31 3a 71 39   ..&......v.e1:q9
>0070  3a 66 69 6e 64 5f 6e 6f 64 65 31 3a 74 38 3a 40   :find_node1:t8:@
>0080  98 50 d7 45 19 61 c5 31 3a 79 31 3a 71 65         .P.E.a.1:y1:qe
>
>Frame 4 (106 bytes on wire, 106 bytes captured)
>     Arrival Time: Jan 26, 2006 20:04:21.673487000
>     Time delta from previous packet: 161.566134000 seconds
>     Time since reference or first frame: 517.712319000 seconds
>     Frame Number: 4
>     Packet Length: 106 bytes
>     Capture Length: 106 bytes
>     Protocols in frame: sll:ip:udp:data
>Linux cooked capture
>     Packet type: Unicast to us (0)
>     Link-layer address type: 512
>     Link-layer address length: 0
>     Source: <MISSING>
>     Protocol: IP (0x0800)
>Internet Protocol, Src: 218.2.84.37 (218.2.84.37), Dst: 64.179.12.75 (64.179.12.75)
>     Version: 4
>     Header length: 20 bytes
>     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>         0000 00.. = Differentiated Services Codepoint: Default (0x00)
>         .... ..0. = ECN-Capable Transport (ECT): 0
>         .... ...0 = ECN-CE: 0
>     Total Length: 90
>     Identification: 0x7ede (32478)
>     Flags: 0x00
>         0... = Reserved bit: Not set
>         .0.. = Don't fragment: Not set
>         ..0. = More fragments: Not set
>     Fragment offset: 0
>     Time to live: 106
>     Protocol: UDP (0x11)
>     Header checksum: 0x568f [correct]
>         Good: True
>         Bad : False
>     Source: 218.2.84.37 (218.2.84.37)
>     Destination: 64.179.12.75 (64.179.12.75)
>User Datagram Protocol, Src Port: 17585 (17585), Dst Port: 21626 (21626)
>     Source port: 17585 (17585)
>     Destination port: 21626 (21626)
>     Length: 70
>     Checksum: 0x66b2 [correct]
>Data (62 bytes)
>
>0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
>0010  45 00 00 5a 7e de 00 00 6a 11 56 8f da 02 54 25   E..Z~...j.V...T%
>0020  40 b3 0c 4b 44 b1 54 7a 00 46 66 b2 64 31 3a 61   @..KD.Tz.Ff.d1:a
>0030  64 32 3a 69 64 32 30 3a da 7a f7 36 f2 98 0d 8f   d2:id20:.z.6....
>0040  76 82 e4 85 cf 2c 8a 98 9d a2 4e f9 65 31 3a 71   v....,....N.e1:q
>0050  34 3a 70 69 6e 67 31 3a 74 38 3a 64 bb 79 2f 08   4:ping1:t8:d.y/.
>0060  d5 2f 10 31 3a 79 31 3a 71 65                     ./.1:y1:qe
>
>
>j
>_________________________________________
>Learn about Intrusion Detection in Depth from the comfort of your own couch:
>https://www.sans.org/athome/details.php?id=1341&d=1
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>
>  
>


-- 
---------      
Johannes Ullrich                        jullrich at sans.org
Chief Research Officer                     (617) 639 5000
http://isc.sans.org
PGP Key: https://secure.dshield.org/PGPKEYS 

"We use [isc.sans.org] every day to keep on top of 
 security at our bank" Matt, Network Administrator. 
       

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20060204/b081f230/signature.bin


More information about the list mailing list