odd traffic on udp 53

Russell Fulton r.fulton at auckland.ac.nz
Wed Oct 8 03:56:32 GMT 2003


Hi All,
	Over the last few days I've spotted three or four systems doing lots of
traffic on udp port 53.  My first thought was that this was some worm or
trojan doing DNS lookups to find MX records (like sobig-f).  This turn
out not to be the case (well at least NAV failed to find any evidence of
infection).  The all the packets I observed carry bytes of data (NULLs
in the few packets I captured).  There are also lots of packets being
sent to 119.0.0.0 on udp 30467, again 8 bytes of data.

Occasionally we see small incoming udp packets to this machine. 

My best guess now is that is some sort of p2p protocol and the users are
being coy with us because they know that their use is against university
policy (unless they can convince us that the they are not breaching
anyone's copyright(.

Anyone got any ideas?

Below are various relevant bits of data about the system and the
traffic.


Some sample packet traces were:  Times UTC +1300 GPS synchronized
2003-10-08-13:30:21  udp  130.216.xxx.yy:37174    ->   170.236.51.39:53     TIM
2003-10-08-13:29:46  udp  130.216.xxx.yy:37174    ->       119.0.0.0:30467  INT
2003-10-08-13:30:31  udp  130.216.xxx.yy:37174    ->  26.147.127.191:53     TIM
2003-10-08-13:30:36  udp  130.216.xxx.yy:37174    ->       119.0.0.0:53     TIM
2003-10-08-13:30:41  udp  130.216.xxx.yy:37174    ->   174.79.56.186:53     TIM
2003-10-08-13:30:51  udp  130.216.xxx.yy:37174    ->  175.226.118.80:53     TIM
2003-10-08-13:30:56  udp  130.216.xxx.yy:37174    ->       119.0.0.0:53     TIM
2003-10-08-13:31:11  udp  130.216.xxx.yy:37174    ->   150.208.16.33:53     TIM
2003-10-08-13:31:16  udp  130.216.xxx.yy:37174    ->       119.0.0.0:53     TIM
2003-10-08-13:31:21  udp  130.216.xxx.yy:37174    -> 183.178.146.205:53     TIM
2003-10-08-13:30:46  udp  130.216.xxx.yy:37174    ->       119.0.0.0:30467  INT
2003-10-08-13:31:31  udp  130.216.xxx.yy:37174    -> 217.203.167.223:53     TIM
2003-10-08-13:31:51  udp  130.216.xxx.yy:37174    ->  198.147.87.133:53     TIM
2003-10-08-13:31:56  udp  130.216.xxx.yy:37174    ->       119.0.0.0:53     TIM
2003-10-08-13:32:01  udp  130.216.xxx.yy:37174    ->   156.226.67.11:53     TIM
2003-10-08-13:32:11  udp  130.216.xxx.yy:37174    ->   207.211.79.26:53     TIM
2003-10-08-13:32:16  udp  130.216.xxx.yy:37174    ->       119.0.0.0:53     TIM
2003-10-08-13:31:46  udp  130.216.xxx.yy:37174    ->       119.0.0.0:30467  INT
2003-10-08-13:32:31  udp  130.216.xxx.yy:37174    ->  210.94.235.104:53     TIM
2003-10-08-13:32:36  udp  130.216.xxx.yy:37174    ->       119.0.0.0:53     TIM

A few packet dumps:
14:17:34.869960 xxxxx.eng.auckland.ac.nz.37174 > 143.80.176.61.domain:  256 [0q] (8)
0x0000   4500 0024 2193 0000 7d11 76a0 82d8 xxxx        E..$!...}.v.....
0x0010   8f50 b03d 9136 0035 0010 c7cc 0100 0000        .P.=.6.5........
0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
14:17:39.879960 xxxx.eng.auckland.ac.nz.37174 > 119.0.0.0.30467:  udp 8
0x0000   4500 0024 219e 0000 7d11 3f23 82d8 xxxx        E..$!...}.?#....
0x0010   7700 0000 9136 7703 0010 198c 0100 0000        w....6w.........
0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
14:17:39.879960 xxxxx.eng.auckland.ac.nz.37174 > 119.0.0.0.domain:  256 [0q] (8)
0x0000   4500 0024 219f 0000 7d11 3f22 82d8 xxxx        E..$!...}.?"....
0x0010   7700 0000 9136 0035 0010 905a 0100 0000        w....6.5...Z....
0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
14:17:44.879960 xxxxxx.eng.auckland.ac.nz.37174 > 133.240.59.116.domain:  256 [0q] (8)
0x0000   4500 0024 21a5 0000 7d11 f4b7 82d8 xxxx        E..$!...}.......
0x0010   85f0 3b74 9136 0035 0010 45f6 0100 0000        ..;t.6.5..E.....
0x0020   0000 0000 0000 0000 0000 0000 0000             ..............

lastly a udp portscan of the box:
PORT      STATE SERVICE       VERSION
53/udp    open  domain?
135/udp   open  msrpc
137/udp   open  netbios-ns    Microsoft Windows netbios-ssn (host: D0009064 workgroup: ARTS)
138/udp   open  netbios-dgm?
445/udp   open  microsoft-ds?
500/udp   open  isakmp?
1027/udp  open  msrpc
1273/udp  open  unknown
1274/udp  open  unknown
1280/udp  open  unknown
1281/udp  open  unknown
2967/udp  open  symantec-av?
37174/udp open  unknown

The TCP port scan return the expected MS services and nothing else.
-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.



More information about the unisog mailing list