Re: UDP port 500 traffic from two clients

From: Hugo van der Kooij (
Date: 01/28/02

Date: Mon, 28 Jan 2002 22:25:42 +0100 (CET)
From: Hugo van der Kooij <>
To: Incidents Mailing List <>

On Mon, 28 Jan 2002, Gary Flynn wrote:

> Chris Wilkes wrote:
> >
> > I recently moved and changed IP addresses within my ISP's block and two
> > IP addresses from and hit me a couple of times a
> > minute with a UDP request to port 500.
> Code Red and Nimda infected machines will reportedly generate port
> 500 traffic.

Port 500 is NOT part of CodeRed. I doubt that nimda uses them.

I get hit enough by them but just on port 80. To get a feel of what a
normal XS4ALL ADSL server get hit by have a look at:

Only SMTP and HTTP is normal traffic and not logged there.


All email send to me is bound to the rules described on my homepage.
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: