Re: UDP flood on port 2001

From: KoRe MeLtDoWn (koremeltdown@hotmail.com)
Date: 09/10/02


From: "KoRe MeLtDoWn" <koremeltdown@hotmail.com>
To: alyancha@meridiantelekoms.com, incidents@securityfocus.com
Date: Tue, 10 Sep 2002 21:14:56 +0000

I'm taking a wild guess here, but the only thing I could think it could be
is a DOS attack - the data doesnt seem to do anything, or send any useful
data - many standard distribution DOS and DDOS attack tools just fire "junk"
data at the target, perhaps this is what is happening to your client...

Hamish Stanaway

-= KoRe WoRkS =- Internet Security
Owner/Operator
http://www.koreworks.com/

New Zealand

Is your box REALLY secure?

>From: Arnold Yancha <alyancha@meridiantelekoms.com>
>To: incidents@securityfocus.com
>Subject: UDP flood on port 2001
>Date: Tue, 10 Sep 2002 11:05:20 +0800
>Hi,
>
>Anyone seen this kind of UDP traffic ? A client has been complaining that
>their bandwidth has been eaten significantly by this type of traffic. I
>haven't seen any solid reference to it in google. Maybe somebody on this
>list
>can shed some light on this. Thanks.
>
>-arnold
>
> 1 0.000000 63.217.26.35 -> xxx.xxx.xxx.235 UDP Source port: 2001
>Destination port: 2001
>
>0000 00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00 .........4( ..E.
>0010 00 44 45 52 00 00 37 11 8a 18 3f d9 1a 23 xx xx .DER..7...?..#.W
>0020 xx eb 07 d1 07 d1 00 30 93 14 26 00 00 00 73 bd .......0..&...s.
>0030 ff 37 28 00 00 00 9e ad cf f4 05 00 00 00 00 00 .7(.............
>0040 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 ..t.............
>0050 00 00 ..
>
> 2 0.003603 63.217.26.35 -> xxx.xxx.xxx.234 UDP Source port: 2001
>Destination port: 2001
>
>0000 00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00 .........4( ..E.
>0010 00 48 45 da 00 00 37 11 89 8d 3f d9 1a 23 xx xx .HE...7...?..#.W
>0020 xx ea 07 d1 07 d1 00 34 ed b5 26 00 00 00 16 65 .......4..&....e
>0030 5e 09 2c 00 00 00 b1 35 dd 85 05 00 00 00 00 00 ^.,....5........
>0040 00 00 71 00 00 00 00 00 00 00 04 00 00 00 00 00 ..q.............
>0050 00 00 c3 da ba ea ......
>
> 3 0.007376 63.217.26.26 -> xxx.xxx.xxx.235 UDP Source port: 2001
>Destination port: 2001
>
>0000 00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00 .........4( ..E.
>0010 00 44 ae 8c 00 00 37 11 20 e7 3f d9 1a 1a xx xx .D....7. .?....W
>0020 xx eb 07 d1 07 d1 00 30 13 40 26 00 00 00 bb 78 .......0.@&....x
>0030 27 4a 28 00 00 00 4e da 2f d8 05 00 00 00 00 00 'J(...N./.......
>0040 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 ..t.............
>0050 00 00 ..
>
> 4 0.010812 63.217.26.26 -> xxx.xxx.xxx.235 UDP Source port: 2001
>Destination port: 2001
>
>0000 00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00 .........4( ..E.
>0010 00 44 ae bc 00 00 37 11 20 b7 3f d9 1a 1a xx xx .D....7. .?....W
>0020 xx eb 07 d1 07 d1 00 30 67 38 26 00 00 00 9d 46 .......0g8&....F
>0030 ea 7d 28 00 00 00 16 30 6f 88 05 00 00 00 00 00 .}(....0o.......
>0040 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 ..t.............
>0050 00 00 ..
>
> 5 0.013111 63.217.26.35 -> xxx.xxx.xxx.235 UDP Source port: 2001
>Destination port: 2001
>
>0000 00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00 .........4( ..E.
>0010 00 48 45 ec 00 00 37 11 89 7a 3f d9 1a 23 xx xx .HE...7..z?..#.W
>0020 xx eb 07 d1 07 d1 00 34 ed b4 26 00 00 00 16 65 .......4..&....e
>0030 5e 09 2c 00 00 00 b1 35 dd 85 05 00 00 00 00 00 ^.,....5........
>0040 00 00 71 00 00 00 00 00 00 00 04 00 00 00 00 00 ..q.............
>0050 00 00 c3 da ba ea ......
>
> 6 0.013115 63.217.26.26 -> xxx.xxx.xxx.234 UDP Source port: 2001
>Destination port: 2001
>
>0000 00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00 .........4( ..E.
>0010 00 48 b0 24 00 00 37 11 1f 4c 3f d9 1a 1a xx xx .H.$..7..L?....W
>0020 xx ea 07 d1 07 d1 00 34 ed be 26 00 00 00 16 65 .......4..&....e
>0030 5e 09 2c 00 00 00 b1 35 dd 85 05 00 00 00 00 00 ^.,....5........
>0040 00 00 71 00 00 00 00 00 00 00 04 00 00 00 00 00 ..q.............
>0050 00 00 c3 da ba ea ......
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com

Hamish Stanaway

-= KoRe WoRkS =- Internet Security
Owner/Operator
http://www.koreworks.com/

New Zealand

Is your box REALLY secure?

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com