Anyone else seeing UDP 16191 scans?

From: Bob German <bobgerman(at)irides.com>
Date: Fri Jul 11 2003 - 07:56:06 EDT

('binary' encoding is not supported, stored as-is)

I've noticed an increasing number of UDP connections with a source and destination of port 16191. tcpdump shows that they generally contain bad udp checksum data, which leads me to believe that they are queries for a Q-type listener (
http://www.whitehats.ca/main/publications/external_pubs/Q-analysis/Q- analysis.html ) with a stealth payload that would be dropped by an OS but captured if the listener is installed.

My IDS is showing them as fragmented datagrams. I'm reluctant to block them at the router without verification that someone else is seeing them. At least letting them through, I can collect data on them.

---

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

---

Received on Fri Jul 11 14:49:41 2003