[unisog] anyone else seeing lots of popup spam/malware?

John Rowan Littell littejo at earlham.edu
Wed Oct 26 15:18:44 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----

Lo, Russell Fulton and the teakettle whistled in unison:

> Over the last couple of weeks we have noticed an increasing amount of
> UDP traffic with a source port of 0 and destination port of 102x (
> x=5,6) packets are always a variation of this:
[snip]

Upon looking at our Argus logs, I do see a number of these.  I can't
confirm the payload, since I have Argus set to ignore that, but all
the other characteristics match.

Today I see about 100 unique source addresses for UDP port 0 packets coming
in to our /16 and not quite 200 destination addresses, all corresponding to
102[4,5].  This out of around 1700 packets.  I'm seeing a little more
interleaving of different source IPs in the bursts -- during a typical
burst of a few seconds length I see 2-3 source addresses trying a
number of destination addresses (say, 20) on both destination ports.
Bursts seem to come just over every 10 minutes and last no more than 2
seconds.  In fact, yesterday's bursts seem to have been targeting just
one /24 subnet in our space; today they seem to have expanded to
include a second /24 of ours.

Is there any good reason not to block UDP port 0 packets on general
principle?

   --rowan

- -- 
John "Rowan" Littell
Systems Administrator
Earlham College Computing Services
http://www.earlham.edu/~littejo/
2005-10-26 09:50
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: http://www.earlham.edu/~littejo/littejo.asc

iQCVAwUBQ1+eVJdUNSJ2nf/5AQEKOQP+LKIGJ3S++NcrbOlxTHhHCjiH5Z2qG4Ms
T/BuwKJuz6KIrxohb/YmlZhFPCDAE45d5hRnNG59gT1sJOCt5iWpMa/yilcO25aO
xMM+rmjBU8hL/G4jRT15n/TDbQqxUUK7zrJxWC1zX6OBVw1L2RM1qCjF9BIp+f39
Pk/Apj9Nbkw=
=gkS3
-----END PGP SIGNATURE-----


More information about the unisog mailing list