Hosting Provided By

Questionable UDP traffic received by firewall

From: Earl Hood <earl(at)earlhood.com>
Date: Wed Jun 25 2003 - 17:58:06 EDT

(The focus-linux moderater stated this message may be better routed to the incidents list, so here it goes.)

Original message date: Tue, 24 Jun 2003 10:51:38 -0500

For the past few days I have been receiving the following type of packets:

Packet DROPPED: IN=eth1 OUT= \
  SRC=64.224.0.140 DST=###.###.###.### LEN=38 TOS=0x00 PREC=0x00 TTL=1 \   ID=60544 PROTO=UDP SPT=44078 DPT=33444 LEN=18 Packet DROPPED: IN=eth1 OUT= \
  SRC=64.224.0.141 DST=###.###.###.### LEN=38 TOS=0x00 PREC=0x00 TTL=1 \   ID=60553 PROTO=UDP SPT=46113 DPT=33445 LEN=18 Packet DROPPED: IN=eth1 OUT= \
  SRC=64.224.0.140 DST=###.###.###.### LEN=38 TOS=0x00 PREC=0x00 TTL=2 \   ID=60728 PROTO=UDP SPT=44078 DPT=33445 LEN=18 Packet DROPPED: IN=eth1 OUT= \
  SRC=64.224.0.141 DST=###.###.###.### LEN=38 TOS=0x00 PREC=0x00 TTL=2 \   ID=60747 PROTO=UDP SPT=46113 DPT=33446 LEN=18 Packet DROPPED: IN=eth1 OUT= \
  SRC=64.224.0.140 DST=###.###.###.### LEN=38 TOS=0x00 PREC=0x00 TTL=3 \   ID=60855 PROTO=UDP SPT=44078 DPT=33446 LEN=18 Packet DROPPED: IN=eth1 OUT= \
  SRC=64.224.0.141 DST=###.###.###.### LEN=38 TOS=0x00 PREC=0x00 TTL=3 \   ID=60867 PROTO=UDP SPT=46113 DPT=33447 LEN=18 In the past 24 hours, source IPs have been:

  64.224.0.140
  64.224.0.141
  129.42.6.240
  129.42.6.241

The 129 addresses are controled by IBM and the 64 addresses by Interland. All IP addresses are pingable, and the 64's are running an HTTP server. When doing a GET on the 64 addresses, the default data returned in a 1x1 GIF image (possible image servers?)

Doing a little searching with Google, it appears that this could be traceroute traffic, but I do not know why these sites would want to traceroute my system, so I am wondering if there is anything else going on and if it is worth contacting the aformentioned companies.

Another possibility, just thinking off the top of my head, is that the sites are trying to detect performance/latency tests from client systems that connect to a web site. What gives me this idea is that yesterday, I checked out the Wimbledon site, which IBM maintains. Maybe they are doing some form of statistical analysis on the bandwidth capabilities of clients that connect to it.

As for Interland, I do not know, but it highly possible they are providing hosting services for some site that I have visited in the past few days. ARIN shows that they own a variety if IP address ranges.

Do you need help?

Who knows if the probes from each system have the same purpose.

Note, my system is connected via cable modem and I do not run any public services on it (against ISP service agreement).

--ewh
--

Earl Hood, <earl@earlhood.com>
Web: <http://www.earlhood.com/>
PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt>

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

Received on Wed Jun 25 23:14:30 2003

This message: [ Message body ]
Next message: Volker Tanger: "Re: War Dial on my PBX"
Previous message: James C. Slora Jr.: "Re: strange logs -- tcp port 16166"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:09 EDT