RE: Strange UDP Activity

From: Steve Vawter (svawter@zonelabs.com)
Date: 04/16/02


From: Steve Vawter <svawter@zonelabs.com>
To: "'LAVELLE,MICHAEL (HP-PaloAlto,ex1)'" <mlavelle@hp.com>
Date: Tue, 16 Apr 2002 10:05:48 -0700

According to my sources (<a href="http://www.iana.org/">Internet Assigned
Numbers Authority</A>)
port 1067/udp (&tcp) is for Installation Bootstrap Proto. Serv., whatever
that means. Where did you find SMTP? SMTP lives on port 25/tcp. Unless
some sites run it in strange places for "security" through obscurity
reasons. Many scanners seem to be using a source of 53/udp recently (I see
the same at home on a dialup) likely to make themselves part of the
background DNS noise. It doesn't work, we see you. Stop.

My comments are my own and have NOTHING to do with Zone Labs or it's
policies.
I'm just a UNIX geek after all. ; }

Steve Vawter
UNIX SYSTEM ADMINISTRATOR
Zone Labs, Inc.
1060 Howard Street
San Francisco CA 94103
ph 415-341-8323
fax 415-341-8299
cell 510-409-9184
pager 877-933-0549

-----Original Message-----
From: LAVELLE,MICHAEL (HP-PaloAlto,ex1) [mailto:mlavelle@hp.com]
Sent: Tuesday, April 16, 2002 8:36 AM
To: incidents@securityfocus.com
Subject: Strange UDP Activity

Greetings to the List,

I recently started seeing strange UDP traffic to my home DSL, which is
included below. It has been active for the last 4 days at all hours. None of
these IPs are DNS servers that I use, and much of the activity is when all
of my computers are off. Google led me to port 1067 as being an SNMP port,
but I have SNMP disabled on all devices at home, and the ACL blocks it
anyway.

Is there a new vulnerability going around that I missed? So far I have not
read anything on the list that looks like this...any ideas?

Thanks for listening,

Mike
___________________________

Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.36.148.17(53)
-> X.X.55.121(1067), 4 packets
Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 202.12.27.33(53)
-> X.X.55.121(1067), 4 packets
Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.112.36.4(53)
-> X.X.55.121(1067), 3 packets
Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.32.64.12(53)
-> X.X.55.121(1067), 5 packets
Apr 14 22:46:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.33.4.12(53) ->
X.X.55.121(1067), 1 packet
Apr 14 22:46:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.5.5.241(53) ->
X.X.55.121(1067), 7 packets
Apr 14 22:48:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.9.0.107(53) ->
X.X.55.121(1067), 7 packets
Apr 14 22:48:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 193.0.14.129(53)
-> X.X.55.121(1067), 7 packets
Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.8.10.90(53) ->
X.X.55.121(1067), 4 packets
Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.63.2.53(53) ->
X.X.55.121(1067), 3 packets
Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.203.230.10(53)
-> X.X.55.121(1067), 6 packets
Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.41.0.4(53) ->
X.X.55.121(1067), 3 packets
Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.41.0.10(53) ->
X.X.55.121(1067), 3 packets
Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.36.148.17(53)
-> X.X.55.121(1067), 3 packets

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: [opensuse] SuseFirewall IPv4 vs IPv6
    ... # network security threats. ... # Opening ports for LAN services in the external zone defeats the ... # this setting only works for packets destined for the local machine. ... # If the protocol is icmp then port is interpreted as icmp type ...
    (SuSE)
  • Re: What is going on with my Dialup?
    ... also forward it to an unused port, and have that port provide the ... verses the RST or ICMP 3,3. ... The lack of response causes the remote computer to make ... Others think that by not responding to unwanted packets, ...
    (comp.os.linux.networking)
  • Re: OT .. Road Warrior communications question
    ... The data on the Internet is sent in little packets. ... The packets addressed to port 80 ... Likewise, at the mail server receiving the packets, it knows the return ... Why would e-mail work on the web but not from your e-mail software? ...
    (alt.guitar.bass)
  • Re: Logs: Many hits with source port of 80
    ... The hits from source port 80 to dest port 37852 are IMHO almost ... you should probably see a couple other packets - perhaps ... packets if either you send the load balancer a packet, ... >>I have seen similar hits for the past three months. ...
    (Incidents)
  • Re: Error 720 connecting to server via VPN
    ... By default the router's firewall is configured to drop ICMP packets ... Select WAN Setup> Advanced> Respond to Ping on Internet Port. ... server and the Internet allow GRE packets. ... routers on the user's network are also configured to allow GRE packets. ...
    (microsoft.public.windows.server.sbs)