[unisog] anyone else seeing lots of popup spam/malware?
John Rowan Littell
littejo at earlham.edu
Wed Oct 26 15:18:44 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Lo, Russell Fulton and the teakettle whistled in unison:
> Over the last couple of weeks we have noticed an increasing amount of
> UDP traffic with a source port of 0 and destination port of 102x (
> x=5,6) packets are always a variation of this:
Upon looking at our Argus logs, I do see a number of these. I can't
confirm the payload, since I have Argus set to ignore that, but all
the other characteristics match.
Today I see about 100 unique source addresses for UDP port 0 packets coming
in to our /16 and not quite 200 destination addresses, all corresponding to
102[4,5]. This out of around 1700 packets. I'm seeing a little more
interleaving of different source IPs in the bursts -- during a typical
burst of a few seconds length I see 2-3 source addresses trying a
number of destination addresses (say, 20) on both destination ports.
Bursts seem to come just over every 10 minutes and last no more than 2
seconds. In fact, yesterday's bursts seem to have been targeting just
one /24 subnet in our space; today they seem to have expanded to
include a second /24 of ours.
Is there any good reason not to block UDP port 0 packets on general
John "Rowan" Littell
Earlham College Computing Services
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
-----END PGP SIGNATURE-----
More information about the unisog