Re: UDP port 500 traffic from two clients

From: Hugo van der Kooij (hvdkooij@vanderkooij.org)
Date: 01/28/02


Date: Mon, 28 Jan 2002 22:25:42 +0100 (CET)
From: Hugo van der Kooij <hvdkooij@vanderkooij.org>
To: Incidents Mailing List <incidents@securityfocus.com>

On Mon, 28 Jan 2002, Gary Flynn wrote:

> Chris Wilkes wrote:
> >
> > I recently moved and changed IP addresses within my ISP's block and two
> > IP addresses from mediaone.net and home.com hit me a couple of times a
> > minute with a UDP request to port 500.
>
> Code Red and Nimda infected machines will reportedly generate port
> 500 traffic.

Port 500 is NOT part of CodeRed. I doubt that nimda uses them.

I get hit enough by them but just on port 80. To get a feel of what a
normal XS4ALL ADSL server get hit by have a look at:
http://hvdkooij.xs4all.nl/fwlog/

Only SMTP and HTTP is normal traffic and not logged there.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij@vanderkooij.org		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com