[Dshield] Strange UDP traffic

Richard Golodner rgolodner at infratection.com
Thu Mar 20 19:48:37 GMT 2008


John, any idea what it is that you are dealing with? It looks to me like a
counter of some kind, but I am no expert. I did find this and hope it helps:

BandCon - California
151 Kalmus Drive 
Suite M-2
Costa Mesa, California 92626
PH: 949.468.0630
FX: 714.641.1670 
BandCon - Arizona
1525 N. Granite Reef Road
Suite 7 
Scottsdale, Arizona 85257
PH: 888.253.8353 
BandCon - New York
419 Lafayette 
3rd Floor
New York, New York 10003
PH: 888.253.8353



      most sincerely, Richard 
      
-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Jon R. Kibler
Sent: Thursday, March 20, 2008 9:37 AM
To: list at lists.dshield.org
Subject: [Dshield] Strange UDP traffic

All,

Just implemented new firewall rules at a customer site and immediately
started
to block strange UDP traffic. It is originating from a few different windows
boxes. Each of the systems is sending the exact identical traffic to a few
target
IPs. There is one packet every 30 seconds per system. Below is a sample.
Destination port appears to always be the same.

Anyone have a clue what this traffic is all about? It is only coming from
only
a couple of systems out of about 200.

TIA for help!

Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
(843) 849-8214


Frame 17 (64 bytes on wire, 64 bytes captured)
     Arrival Time: Mar 20, 2008 14:13:59.698973000
     [Time delta from previous captured frame: 30.209030000 seconds]
     [Time delta from previous displayed frame: 30.209030000 seconds]
     [Time since reference or first frame: 483.397740000 seconds]
     Frame Number: 17
     Frame Length: 64 bytes
     Capture Length: 64 bytes
     [Frame is marked: False]
     [Protocols in frame: eth:ip:udp:data]
Ethernet II, Src: Intel_88:c8:41 (00:19:d1:88:c8:41), Dst: Cisco_88:8a:f0
(00:17:5a:88:8a:f0)
     Destination: Cisco_88:8a:f0 (00:17:5a:88:8a:f0)
         Address: Cisco_88:8a:f0 (00:17:5a:88:8a:f0)
         .... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
         .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
     Source: Intel_88:c8:41 (00:19:d1:88:c8:41)
         Address: Intel_88:c8:41 (00:19:d1:88:c8:41)
         .... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
         .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
     Type: IP (0x0800)
Internet Protocol, Src: 10.8.100.97 (10.8.100.97), Dst: 209.234.245.12
(209.234.245.12)
     Version: 4
     Header length: 20 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
         0000 00.. = Differentiated Services Codepoint: Default (0x00)
         .... ..0. = ECN-Capable Transport (ECT): 0
         .... ...0 = ECN-CE: 0
     Total Length: 50
     Identification: 0x30c8 (12488)
     Flags: 0x00
         0... = Reserved bit: Not set
         .0.. = Don't fragment: Not set
         ..0. = More fragments: Not set
     Fragment offset: 0
     Time to live: 128
     Protocol: UDP (0x11)
     Header checksum: 0xd492 [correct]
         [Good: True]
         [Bad : False]
     Source: 10.8.100.97 (10.8.100.97)
     Destination: 209.234.245.12 (209.234.245.12)
User Datagram Protocol, Src Port: voispeed-port (3541), Dst Port: 25121
(25121)
     Source port: voispeed-port (3541)
     Destination port: 25121 (25121)
     Length: 30
     Checksum: 0xc176 [correct]
         [Good Checksum: True]
         [Bad Checksum: False]
Data (22 bytes)

0000  01 02 00 16 dc f2 21 f5 01 00 00 00 08 02 bf 60   ......!........`
0010  0a 08 64 61 62 18                                 ..dab.
     Data: 01020016DCF221F5010000000802BF600A0864616218







==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.




More information about the list mailing list