[nsp-sec] Odd "attack" traffic

Mike Tancsa mike at sentex.net
Tue Dec 28 20:15:42 EST 2010 

On 12/28/2010 7:32 PM, Joel Rosenblatt wrote:
> ----------- nsp-security Confidential --------
> 
> Hi,
> 
> My memory is not as good as it used to be, but this port sounds very
> familiar - I am also seeing a lot of this traffic, and I believe that
> this is a P2P video program that is used by our Asian students to watch
> TV from their home countries.

That would be my guess as well.  Some example packets

reading from file /tmp/udp.pcap, link-type EN10MB (Ethernet)
19:14:17.506754 IP (tos 0x0, ttl 126, id 31666, offset 0, flags [none],
proto UDP (17), length 90)
    64.7.157.19.7984 > 87.194.91.245.17368: [udp sum ok] UDP, length 62
        0x0000:  4500 005a 7bb2 0000 7e11 300f 4007 9d13  E..Z{...~.0. at ...
        0x0010:  57c2 5bf5 1f30 43d8 0046 017f 6431 3a61  W.[..0C..F..d1:a
        0x0020:  6432 3a69 6432 303a 9805 3c91 57a3 1431  d2:id20:..<.W..1
        0x0030:  3eda ee63 a5ef 0d30 fee3 7a4c 6531 3a71  >..c...0..zLe1:q
        0x0040:  343a 7069 6e67 313a 7438 3a90 9c23 dfff  4:ping1:t8:..#..
        0x0050:  8856 2a31 3a79 313a 7165                 .V*1:y1:qe
19:34:20.291834 IP (tos 0x0, ttl 126, id 13983, offset 0, flags [none],
proto UDP (17), length 90)
    64.7.157.19.7984 > 87.194.91.245.17368: [udp sum ok] UDP, length 62
        0x0000:  4500 005a 369f 0000 7e11 7522 4007 9d13  E..Z6...~.u"@...
        0x0010:  57c2 5bf5 1f30 43d8 0046 8d06 6431 3a61  W.[..0C..F..d1:a
        0x0020:  6432 3a69 6432 303a 9805 3c91 57a3 1431  d2:id20:..<.W..1
        0x0030:  3eda ee63 a5ef 0d30 fee3 7a4c 6531 3a71  >..c...0..zLe1:q
        0x0040:  343a 7069 6e67 313a 7438 3aa6 b195 1a5b  4:ping1:t8:....[
        0x0050:  86eb 5031 3a79 313a 7165                 ..P1:y1:qe
19:36:13.444040 IP (tos 0x0, ttl 126, id 34870, offset 0, flags [none],
proto UDP (17), length 134)
    64.7.157.14.51952 > 85.227.249.161.17368: [udp sum ok] UDP, length 106
        0x0000:  4500 0086 8836 0000 7e11 8796 4007 9d0e  E....6..~... at ...
        0x0010:  55e3 f9a1 caf0 43d8 0072 d4d8 6431 3a61  U.....C..r..d1:a
        0x0020:  6432 3a69 6432 303a ae0f f983 1b3b 9050  d2:id20:.....;.P
        0x0030:  154e a711 1285 9f1f ae7e b6d8 393a 696e  .N.......~..9:in
        0x0040:  666f 5f68 6173 6832 303a ee65 9b99 4dd3  fo_hash20:.e..M.
        0x0050:  b549 eff7 1380 c789 3721 b7d8 6cf0 6531  .I......7!..l.e1
        0x0060:  3a71 393a 6765 745f 7065 6572 7331 3a74  :q9:get_peers1:t
        0x0070:  343a 9710 067c 313a 7634 3a55 545a c331  4:...|1:v4:UTZ.1
        0x0080:  3a79 313a 7165                           :y1:qe
19:50:09.618130 IP (tos 0x0, ttl 114, id 21519, offset 0, flags [none],
proto UDP (17), length 95)
    98.114.2.27.64505 > 64.7.157.19.17368: [udp sum ok] UDP, length 67
        0x0000:  4500 005f 540f 0000 7211 b2d7 6272 021b  E.._T...r...br..
        0x0010:  4007 9d13 fbf9 43d8 004b 8a2d 6431 3a61  @.....C..K.-d1:a
        0x0020:  6432 3a69 6432 303a 9b73 e9b7 4e3d 9aad  d2:id20:.s..N=..
        0x0030:  2734 5c4c c4b3 9dee 3ac8 949c 6531 3a71  '4\L....:...e1:q
        0x0040:  343a 7069 6e67 313a 7434 3ac2 0700 0031  4:ping1:t4:....1
        0x0050:  3a76 343a 5554 5686 313a 7931 3a71 65    :v4:UTV.1:y1:qe
19:56:39.632253 IP (tos 0x0, ttl 113, id 27038, offset 0, flags [none],
proto UDP (17), length 131)
    75.5.251.1.17368 > 64.7.157.40.44666: [udp sum ok] UDP, length 103
        0x0000:  4500 0083 699e 0000 7111 bc95 4b05 fb01  E...i...q...K...
        0x0010:  4007 9d28 43d8 ae7a 006f 1bd1 6431 3a61  @..(C..z.o..d1:a
        0x0020:  6432 3a69 6432 303a 8332 20c2 ddb3 8230  d2:id20:.2.....0
        0x0030:  25a3 f895 f770 4872 33de c655 363a 7461  %....pHr3..U6:ta
        0x0040:  7267 6574 3230 3a83 3577 2801 fe81 86f8  rget20:.5w(.....
        0x0050:  f895 0988 3e21 2ba8 5cbb ef65 313a 7139  ....>!+.\..e1:q9
        0x0060:  3a66 696e 645f 6e6f 6465 313a 7434 3ac6  :find_node1:t4:.
        0x0070:  6600 0031 3a76 343a 5554 4406 313a 7931  f..1:v4:UTD.1:y1
        0x0080:  3a71 65                                  :qe
19:56:48.769898 IP (tos 0x0, ttl 126, id 28805, offset 0, flags [none],
proto UDP (17), length 134)
    64.7.157.14.51952 > 85.227.249.161.17368: [udp sum ok] UDP, length 106
        0x0000:  4500 0086 7085 0000 7e11 9f47 4007 9d0e  E...p...~..G at ...
        0x0010:  55e3 f9a1 caf0 43d8 0072 599b 6431 3a61  U.....C..rY.d1:a
        0x0020:  6432 3a69 6432 303a ae0f f983 1b3b 9050  d2:id20:.....;.P
        0x0030:  154e a711 1285 9f1f ae7e b6d8 393a 696e  .N.......~..9:in
        0x0040:  666f 5f68 6173 6832 303a ee65 9b99 4dd3  fo_hash20:.e..M.
        0x0050:  b549 eff7 1380 c789 3721 b7d8 6cf0 6531  .I......7!..l.e1
        0x0060:  3a71 393a 6765 745f 7065 6572 7331 3a74  :q9:get_peers1:t
        0x0070:  343a f3dd 24ec 313a 7634 3a55 545a c331  4:..$.1:v4:UTZ.1
        0x0080:  3a79 313a 7165                           :y1:qe
19:56:48.886846 IP (tos 0x0, ttl 113, id 1623, offset 0, flags [none],
proto UDP (17), length 545)
    85.227.249.161.17368 > 64.7.157.14.51952: [udp sum ok] UDP, length 517
        0x0000:  4500 0221 0657 0000 7111 14db 55e3 f9a1  E..!.W..q...U...
        0x0010:  4007 9d0e 43d8 caf0 020d 509a 6431 3a72  @...C.....P.d1:r
        0x0020:  6432 3a69 6432 303a ee65 96aa c8ea 9a88  d2:id20:.e......
        0x0030:  c6a4 3b19 df77 594a cc3c beda 353a 6e6f  ..;..wYJ.<..5:no
        0x0040:  6465 7332 3038 3aee 659b 9370 780c 96d6  des208:.e..px...
        0x0050:  904f a63c fd07 649e 30c8 b218 0e68 7c62  .O.<..d.0....h|b
        0x0060:  caee 659f d1ff 85f9 b6dd 8a10 810f fb7e  ..e............~
        0x0070:  9af9 92b6 ad47 cce0 314e e1ee 65b0 be39  .....G..1N..e..9
        0x0080:  dbf0 e3a7 1375 5ae4 8d52 9c2c 5460 474e  .....uZ..R.,T`GN
        0x0090:  96e6 2f3d 24ee 65b7 bed6 abb3 8b80 5236  ../=$.e.......R6
        0x00a0:  584b 520f e045 ba71 da55 f048 8c3d 13ee  XKR..E.q.U.H.=..
        0x00b0:  65b7 1bf3 21d3 fb77 e91a a0b1 c320 1300  e...!..w........
        0x00c0:  7d47 4029 e36c 0e62 a1ee 65b4 142d 9346  }G@).l.b..e..-.F
        0x00d0:  3cd5 2ded 807f 0389 0d88 822a f55c f498  <.-........*.\..
        0x00e0:  477e 27ee 65ad 1baa 2929 ca7e 0d23 f42a  G~'.e...)).~.#.*
        0x00f0:  5593 13ce b237 115d 9f35 6462 cfee 65a0  U....7.].5db..e.
        0x0100:  027d 47ce 9327 ea66 ba17 154f 3189 f88a  .}G..'.f...O1...
        0x0110:  9346 4827 376d ab35 3a74 6f6b 656e 3230  .FH'7m.5:token20
        0x0120:  3a0c d489 cc13 caf7 fab0 2d4c fcb3 7e4a  :.........-L..~J
        0x0130:  7511 605d ef36 3a76 616c 7565 736c 363a  u.`].6:valuesl6:
        0x0140:  5590 0ddd 7df9 363a 5ac9 1476 a0f7 363a  U...}.6:Z..v..6:
        0x0150:  5615 0855 8164 363a dce9 b733 a161 363a  V..U.d6:...3.a6:
        0x0160:  40e7 99e3 6df9 363a 519f f786 d320 363a  @...m.6:Q.....6:
        0x0170:  516d 9591 f99f 363a 1b21 83b4 9fac 363a  Qm....6:.!....6:
        0x0180:  5e8a 4028 4b90 363a 5658 0ed4 7d34 363a  ^.@(K.6:VX..}46:
        0x0190:  5ac2 0148 7291 363a bc7e 101a 6099 363a  Z..Hr.6:.~..`.6:
        0x01a0:  7bd3 132d cfce 363a cbd5 1f5d 3b53 363a  {..-..6:...];S6:
        0x01b0:  56ab b68f d82f 363a 3ba7 9d7f cb20 363a  V..../6:;.....6:
        0x01c0:  1807 cbfe 8404 363a 76d0 219b 62c8 363a  ......6:v.!.b.6:
        0x01d0:  3cf2 4d85 ef3b 363a 7cb5 7406 5740 363a  <.M..;6:|.t.W at 6:
        0x01e0:  8ad9 84b3 b272 363a 1b21 0298 3832 363a  .....r6:.!..826:
        0x01f0:  ae40 be72 f650 363a cb7b 5833 cac4 363a  . at .r.P6:.{X3..6:
        0x0200:  5218 cd7c 655f 6565 313a 7434 3af3 dd24  R..|e_ee1:t4:..$
        0x0210:  ec31 3a76 343a 5554 57e6 313a 7931 3a72  .1:v4:UTW.1:y1:r
        0x0220:  65                                       e
19:57:18.618404 IP (tos 0x0, ttl 114, id 10249, offset 0, flags [none],
proto UDP (17), length 58)
    98.114.2.27.64505 > 64.7.157.19.17368: [udp sum ok] UDP, length 30
        0x0000:  4500 003a 2809 0000 7211 df02 6272 021b  E..:(...r...br..
        0x0010:  4007 9d13 fbf9 43d8 0026 9422 4102 24f2  @.....C..&."A.$.
        0x0020:  2977 5a59 0000 0000 0038 0000 0001 0000  )wZY.....8......
        0x0030:  0008 0000 0000 0000 0000                 ..........
19:57:21.296396 IP (tos 0x0, ttl 126, id 32556, offset 0, flags [none],
proto UDP (17), length 182)
    64.7.157.14.51952 > 85.227.249.161.17368: [udp sum ok] UDP, length 154
        0x0000:  4500 00b6 7f2c 0000 7e11 9070 4007 9d0e  E....,..~..p at ...
        0x0010:  55e3 f9a1 caf0 43d8 00a2 c307 6431 3a61  U.....C.....d1:a
        0x0020:  6432 3a69 6432 303a ae0f f983 1b3b 9050  d2:id20:.....;.P
        0x0030:  154e a711 1285 9f1f ae7e b6d8 393a 696e  .N.......~..9:in
        0x0040:  666f 5f68 6173 6832 303a ee65 9b99 4dd3  fo_hash20:.e..M.
        0x0050:  b549 eff7 1380 c789 3721 b7d8 6cf0 343a  .I......7!..l.4:
        0x0060:  706f 7274 6935 3139 3532 6535 3a74 6f6b  porti51952e5:tok
        0x0070:  656e 3230 3a0c d489 cc13 caf7 fab0 2d4c  en20:.........-L
        0x0080:  fcb3 7e4a 7511 605d ef65 313a 7131 333a  ..~Ju.`].e1:q13:
        0x0090:  616e 6e6f 756e 6365 5f70 6565 7231 3a74  announce_peer1:t
        0x00a0:  343a 5943 0322 313a 7634 3a55 545a c331  4:YC."1:v4:UTZ.1
        0x00b0:  3a79 313a 7165                           :y1:qe
19:57:21.518164 IP (tos 0x0, ttl 113, id 3051, offset 0, flags [none],
proto UDP (17), length 86)
    85.227.249.161.17368 > 64.7.157.14.51952: [udp sum ok] UDP, length 58
        0x0000:  4500 0056 0beb 0000 7111 1112 55e3 f9a1  E..V....q...U...
        0x0010:  4007 9d0e 43d8 caf0 0042 1994 6431 3a72  @...C....B..d1:r
        0x0020:  6432 3a69 6432 303a ee65 96aa c8ea 9a88  d2:id20:.e......
        0x0030:  c6a4 3b19 df77 594a cc3c beda 6531 3a74  ..;..wYJ.<..e1:t
        0x0040:  343a 5943 0322 313a 7634 3a55 5457 e631  4:YC."1:v4:UTW.1
        0x0050:  3a79 313a 7265                           :y1:re

More information about the nsp-security mailing list