[nsp-sec] 2-byte UDP packets

Paul Dokas dokas at oitsec.umn.edu
Tue Oct 13 22:53:50 EDT 2009 

Sidney Faber wrote:
> I'm trying to wrap up a long-standing issue about 2-byte UDP packets.

I'm filtering my border spans for these packets to see if I can help ID
them.  Here's the tcpdump filter that I'm using:

   udp and udp[4] == 0x00 and udp[5] == 0x0a

The length is 0x0a since it includes the UDP header and the data.


I've got one host generating a ton of inbound and a small number of outbound
2 byte UDP packets:

21:45:07.465633 IP 72.188.93.223.53124 > 160.94.115.158.1099: UDP, length 2
	0x0000:  0e87 0800 4500 001e 3e33 0000 7211 5004  ....E...>3..r.P.
	0x0010:  48bc 5ddf a05e 739e cf84 044b 000a 2227  H.]..^s....K.."'
	0x0020:  4f4b 0000 0000 0000 0000 0000 0000 0000  OK..............
	0x0030:  0000                                     ..
21:45:08.218160 IP 24.184.30.201.53124 > 160.94.115.158.1099: UDP, length 2
	0x0000:  0e87 0800 4500 001e 2202 0000 7211 db4f  ....E..."...r..O
	0x0010:  18b8 1ec9 a05e 739e cf84 044b 000a 9141  .....^s....K...A
	0x0020:  4f4b 0000 0000 0000 0000 0000 0000 0000  OK..............
	0x0030:  0000                                     ..
21:45:10.707780 IP 160.94.115.158.53124 > 61.135.131.123.8016: UDP, length 2
	0x0000:  0e87 0800 4500 001e 515e 0000 7e11 1672  ....E...Q^..~..r
	0x0010:  a05e 739e 3d87 837b cf84 1f50 000a ecba  .^s.=..{...P....
	0x0020:  4f4b 0000 0000 0000 0000 0000 0000 0000  OK..............
	0x0030:  0000                                     ..
21:45:10.940752 IP 210.74.107.190.50966 > 160.94.115.158.1099: UDP, length 2
	0x0000:  0e87 0800 4500 001e 9772 0000 6d11 6457  ....E....r..m.dW
	0x0010:  d24a 6bbe a05e 739e c716 044b 000a 9327  .Jk..^s....K...'
	0x0020:  4f4b 0000 0000 0000 0000 0000 0000 0000  OK..............
	0x0030:  0000                                     ..

The payload in all of these is 'OK'.  This host is also triggering a large
number of snort alerts for "ET POLICY Inbound HTTP CONNECT Attempt on Off-Port"
based on TCP packets heading to 1099/TCP (same port number as the UDP pkts)
with this for the payload:

   CONNECT /pxpTree/20070110/1000 HTTP/1.1


I noticed a large increase in this type of traffic in the months before the
summer Olympics in Beijing.  I tracked this down to a Chinese news distribution
app that is built on a P2P system for distributing video and pictures.  In
short, it was benign.

I hope this helps.

Paul
-- 
Paul Dokas                                     dokas at oitsec.umn.edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."

More information about the nsp-security mailing list