[Dshield] Strange UDP traffic

stcarey at juno.com stcarey at juno.com
Thu Mar 20 18:50:05 GMT 2008


Could be something we just saw today: Joost (pronounced /joost/ "Juiced") is a system for distributing TV shows and other forms of video over the Web using peer-to-peer TV technology, created by Niklas Zennström and Janus Friis (founders of Skype and Kazaa).

Look for traffic to  89.202.212.114 and 4.71.105.* prior to the UDP traffic.

Stan Carey
 
All,Just implemented new firewall rules at a customer site and immediately startedto block strange UDP traffic. It is originating from a few different windowsboxes. Each of the systems is sending the exact identical traffic to a few targetIPs. There is one packet every 30 seconds per system. Below is a sample.Destination port appears to always be the same.Anyone have a clue what this traffic is all about? It is only coming from onlya couple of systems out of about 200.TIA for help!Jon Kibler-- Jon R. KiblerChief Technical OfficerAdvanced Systems Engineering Technology, Inc.Charleston, SC  USA(843) 849-8214Frame 17 (64 bytes on wire, 64 bytes captured)     Arrival Time: Mar 20, 2008 14:13:59.698973000     [Time delta from previous captured frame: 30.209030000 seconds]     [Time delta from previous displayed frame: 30.209030000 seconds]     [Time since reference or first frame: 483.397740000 seconds]     Frame Number: 17     Frame Length: 64 bytes     Capture Length: 64 bytes     [Frame is marked: False]     [Protocols in frame: eth:ip:udp:data]Ethernet II, Src: Intel_88:c8:41 (00:19:d1:88:c8:41), Dst: Cisco_88:8a:f0 (00:17:5a:88:8a:f0)     Destination: Cisco_88:8a:f0 (00:17:5a:88:8a:f0)         Address: Cisco_88:8a:f0 (00:17:5a:88:8a:f0)         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)         .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)     Source: Intel_88:c8:41 (00:19:d1:88:c8:41)         Address: Intel_88:c8:41 (00:19:d1:88:c8:41)         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)         .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)     Type: IP (0x0800)Internet Protocol, Src: 10.8.100.97 (10.8.100.97), Dst: 209.234.245.12 (209.234.245.12)     Version: 4     Header length: 20 bytes     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)         0000 00.. = Differentiated Services Codepoint: Default (0x00)         .... ..0. = ECN-Capable Transport (ECT): 0         .... ...0 = ECN-CE: 0     Total Length: 50     Identification: 0x30c8 (12488)     Flags: 0x00         0... = Reserved bit: Not set         .0.. = Don't fragment: Not set         ..0. = More fragments: Not set     Fragment offset: 0     Time to live: 128     Protocol: UDP (0x11)     Header checksum: 0xd492 [correct]         [Good: True]         [Bad : False]     Source: 10.8.100.97 (10.8.100.97)     Destination: 209.234.245.12 (209.234.245.12)User Datagram Protocol, Src Port: voispeed-port (3541), Dst Port: 25121 (25121)     Source port: voispeed-port (3541)     Destination port: 25121 (25121)     Length: 30     Checksum: 0xc176 [correct]         [Good Checksum: True]         [Bad Checksum: False]Data (22 bytes)0000  01 02 00 16 dc f2 21 f5 01 00 00 00 08 02 bf 60   ......!........`0010  0a 08 64 61 62 18                                 ..dab.     Data: 01020016DCF221F5010000000802BF600A0864616218==================================================Filtered by: TRUSTEM.COM's Email Filtering Servicehttp://www.trustem.com/No Spam. No Viruses. Just Good Clean Email.
_____________________________________________________________
Click here to lower your monthly payments.  Act now and save!
http://thirdpartyoffers.juno.com/TGL2111/fc/REAK6ZpRPDlHuq6vVA0xvRBfPwFMOhhBhlEVRP1tgDeU4F8TRGqTpl/


More information about the list mailing list