[nsp-sec] 2-byte UDP packets
Sidney Faber
sfaber at cert.org
Tue Oct 13 15:54:28 EDT 2009
I'm trying to wrap up a long-standing issue about 2-byte UDP packets. They're
everywhere, they're not spoofed, they're going to a bogus IP address that often ends
in .0 or .4, they've been around for years, and millions of hosts worldwide
(although
mostly in the Asia-Pacific region) are sending them. I'm 95% sure they're
benign from some sort of broken peer-to-peer client, I'm wondering if anyone
can confirm. If you've got flow across a large network, just search for single
packet 30 byte (20b IP header + 8b UDP header + 2b data) UDP flows and they
should pop right out (I think there are related 72b flows as well, but I'll table
them for the time being).
Many netdefense analysts have spent lots of valuable time researching the issue
independently,
often initially thinking the packets are a low-level DDoS. I'd like to document the
actual source so they can move along to the more interesting stuff.
Thanks!
sid
--
Sidney Faber
Member of the Technical Staff
CERT / Software Engineering Institute
Carnegie Mellon University
sfaber at cert.org
412-268-9237
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5212 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20091013/b4131f69/attachment-0001.bin>
More information about the nsp-security
mailing list