Re: Strange Port 0 Traffic
From: Francesca C Smith (fsmith_at_ladylinux.com)
Date: 11/14/03
- Previous message: whiplash: "Re: [despammed] RE: SQL Slammer doing the rounds again?"
- Maybe in reply to: Josh.Berry_at_compucom.com: "Strange Port 0 Traffic"
- Next in thread: Andre Ludwig: "RE: Strange Port 0 Traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 14 Nov 2003 12:44:27 -0500 To: <Josh.Berry@compucom.com>, <incidents@securityfocus.com>
Hello,
Yes I have been seeing a lot of this along with a Sharp
uptick in sub-seven 27374 traffic .. Mostly from Korea ..
Lady Linux
At 05:41 PM 11/13/2003, Josh.Berry@compucom.com wrote:
>I am seeing a lot of traffic lately coming from different external
>sources using UDP originating from a source port of 10000 and coming to
>my various firewall addresses with a destination port of 0.
>
>I ran tcpdump traces for this traffic both internally and externally for
>about 2 weeks. The traces showed no internal servers/desktops/devices
>making these connections, only external machines sending these packets
>to the firewalls.
>
>The data in the packet is gibberish; looks like it might be encrypted.
>Is anyone else seeing this kind of traffic?
>
>Attached is a sanitized trace of some of these packets.
>
>Josh Berry
>Information Security Group
>972-856-5402
>
>
>---------------------------------------------------------------------------
>Network with over 10,000 of the brightest minds in information security
>at the largest, most highly-anticipated industry event of the year.
>Don't miss RSA Conference 2004! Choose from over 200 class sessions and
>see demos from more than 250 industry vendors. If your job touches
>security, you need to be here. Learn more or register at
>http://www.securityfocus.com/sponsor/RSA_incidents_031023
>and use priority code SF4.
>----------------------------------------------------------------------------
"No Problems Only Solutions"
Francesca C. Smith
Lady Linux Internet Services
fsmith@ladylinux.com
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------
- Previous message: whiplash: "Re: [despammed] RE: SQL Slammer doing the rounds again?"
- Maybe in reply to: Josh.Berry_at_compucom.com: "Strange Port 0 Traffic"
- Next in thread: Andre Ludwig: "RE: Strange Port 0 Traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
