Strange UDP packets to non-existent network.

From: Christopher Lyon (cslyon_at_netsvcs.com)
Date: 08/19/03

  • Next message: Jeff Peterson: "RE: Software vendor clueless"
    Date: Mon, 18 Aug 2003 15:38:54 -0700
    To: <incidents@securityfocus.com>
    
    

    I am seeing something odd and wanted to run it by everybody. Below are
    some packet captures for everybody's review. The 192.168.254.4 is our
    exchange server running on Windows 2000. It is constantly streaming out
    these UDP packets to 192.168.40.1, 192.168.73.1, and a few other
    192.168.x.x addresses. The dominant ones are 192.168.40.1 and
    192.168.73.1. They all have the same rotating payload but the dst udp
    ports start at 1658+ and 1677+. So, you are saying at this point, what's
    the big deal, so something is talking to 192.168.40.1, 73.1 and xx.xx on
    your internal network? Well we don't use these addresses at all and
    never have used these. So, the question is, what is this box trying to
    do? Has anybody seen this?

    Header and Payload
    14:52:54.907608 192.168.254.4.14884 > 192.168.40.1.1658: udp 8
    000 : E8 28 1A 01 CB 44 F9 77 .(...D.w

    Header and Payload
    14:52:54.908789 192.168.254.4.14889 > 192.168.40.1.1677: udp 8
    000 : E8 28 4C 01 CB 44 F9 77 .(L..D.w

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------


  • Next message: Jeff Peterson: "RE: Software vendor clueless"

    Relevant Pages

    • Re: [PATCH v2] tcp: splice as many packets as possible at once
      ... allocator, so that each skb could have its payload in the fragments, we ... I will resurrect to some point my network allocator to check how things ... Great, I'll try to learn a bit btw., ...
      (Linux-Kernel)
    • Re: [PATCH v2] tcp: splice as many packets as possible at once
      ... allocator, so that each skb could have its payload in the fragments, we ... would not suffer from the heavy fragmentation and power-of-two overhead ... I will resurrect to some point my network allocator to check how things ...
      (Linux-Kernel)
    • Re: NDIS ntohs/htons
      ... the MAC header and payload is already in network byte ... the MAC header and PDU that's delivered to your MiniportSendPackets ... an egress NDIS packet handed to the miniport by a protocol driver. ...
      (microsoft.public.development.device.drivers)
    • Re: Which protocol?
      ... I need a protocol but I'm not sure which one. ... delay. ... The payload with be less than 15 bytes. ... I'm trying to write a program that will function as a network ...
      (microsoft.public.win32.programmer.networks)
    • Re: Browsing not working accross VLANs
      ... pointers as far as what kind of packets I should be looking for in network ... I am going to collect traffic on both VLANs to see if ... blind at packet captures. ...
      (microsoft.public.windows.server.networking)