[nsp-sec] Odd "attack" traffic
Kevin Oberman
oberman at es.net
Tue Dec 28 21:59:32 EST 2010
Mike and Joel,
This makes some sense. It looks like my system has been entered in some
list of servers and various systems keep trying to connect. The system
is a FreeBSD box that I am quite sure is not and never has had that port
open.
I'll see if the stuff I'm packets I'm getting look like what you
reported.
Thanks!
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
> Date: Tue, 28 Dec 2010 20:15:42 -0500
> From: Mike Tancsa <mike at sentex.net>
>
> On 12/28/2010 7:32 PM, Joel Rosenblatt wrote:
> > ----------- nsp-security Confidential --------
> >
> > Hi,
> >
> > My memory is not as good as it used to be, but this port sounds very
> > familiar - I am also seeing a lot of this traffic, and I believe that
> > this is a P2P video program that is used by our Asian students to watch
> > TV from their home countries.
>
> That would be my guess as well. Some example packets
>
> reading from file /tmp/udp.pcap, link-type EN10MB (Ethernet)
> 19:14:17.506754 IP (tos 0x0, ttl 126, id 31666, offset 0, flags [none],
> proto UDP (17), length 90)
> 64.7.157.19.7984 > 87.194.91.245.17368: [udp sum ok] UDP, length 62
> 0x0000: 4500 005a 7bb2 0000 7e11 300f 4007 9d13 E..Z{...~.0. at ...
> 0x0010: 57c2 5bf5 1f30 43d8 0046 017f 6431 3a61 W.[..0C..F..d1:a
> 0x0020: 6432 3a69 6432 303a 9805 3c91 57a3 1431 d2:id20:..<.W..1
> 0x0030: 3eda ee63 a5ef 0d30 fee3 7a4c 6531 3a71 >..c...0..zLe1:q
> 0x0040: 343a 7069 6e67 313a 7438 3a90 9c23 dfff 4:ping1:t8:..#..
> 0x0050: 8856 2a31 3a79 313a 7165 .V*1:y1:qe
> 19:34:20.291834 IP (tos 0x0, ttl 126, id 13983, offset 0, flags [none],
> proto UDP (17), length 90)
> 64.7.157.19.7984 > 87.194.91.245.17368: [udp sum ok] UDP, length 62
> 0x0000: 4500 005a 369f 0000 7e11 7522 4007 9d13 E..Z6...~.u"@...
> 0x0010: 57c2 5bf5 1f30 43d8 0046 8d06 6431 3a61 W.[..0C..F..d1:a
> 0x0020: 6432 3a69 6432 303a 9805 3c91 57a3 1431 d2:id20:..<.W..1
> 0x0030: 3eda ee63 a5ef 0d30 fee3 7a4c 6531 3a71 >..c...0..zLe1:q
> 0x0040: 343a 7069 6e67 313a 7438 3aa6 b195 1a5b 4:ping1:t8:....[
> 0x0050: 86eb 5031 3a79 313a 7165 ..P1:y1:qe
> 19:36:13.444040 IP (tos 0x0, ttl 126, id 34870, offset 0, flags [none],
> proto UDP (17), length 134)
> 64.7.157.14.51952 > 85.227.249.161.17368: [udp sum ok] UDP, length 106
> 0x0000: 4500 0086 8836 0000 7e11 8796 4007 9d0e E....6..~... at ...
> 0x0010: 55e3 f9a1 caf0 43d8 0072 d4d8 6431 3a61 U.....C..r..d1:a
> 0x0020: 6432 3a69 6432 303a ae0f f983 1b3b 9050 d2:id20:.....;.P
> 0x0030: 154e a711 1285 9f1f ae7e b6d8 393a 696e .N.......~..9:in
> 0x0040: 666f 5f68 6173 6832 303a ee65 9b99 4dd3 fo_hash20:.e..M.
> 0x0050: b549 eff7 1380 c789 3721 b7d8 6cf0 6531 .I......7!..l.e1
> 0x0060: 3a71 393a 6765 745f 7065 6572 7331 3a74 :q9:get_peers1:t
> 0x0070: 343a 9710 067c 313a 7634 3a55 545a c331 4:...|1:v4:UTZ.1
> 0x0080: 3a79 313a 7165 :y1:qe
> 19:50:09.618130 IP (tos 0x0, ttl 114, id 21519, offset 0, flags [none],
> proto UDP (17), length 95)
> 98.114.2.27.64505 > 64.7.157.19.17368: [udp sum ok] UDP, length 67
> 0x0000: 4500 005f 540f 0000 7211 b2d7 6272 021b E.._T...r...br..
> 0x0010: 4007 9d13 fbf9 43d8 004b 8a2d 6431 3a61 @.....C..K.-d1:a
> 0x0020: 6432 3a69 6432 303a 9b73 e9b7 4e3d 9aad d2:id20:.s..N=..
> 0x0030: 2734 5c4c c4b3 9dee 3ac8 949c 6531 3a71 '4\L....:...e1:q
> 0x0040: 343a 7069 6e67 313a 7434 3ac2 0700 0031 4:ping1:t4:....1
> 0x0050: 3a76 343a 5554 5686 313a 7931 3a71 65 :v4:UTV.1:y1:qe
> 19:56:39.632253 IP (tos 0x0, ttl 113, id 27038, offset 0, flags [none],
> proto UDP (17), length 131)
> 75.5.251.1.17368 > 64.7.157.40.44666: [udp sum ok] UDP, length 103
> 0x0000: 4500 0083 699e 0000 7111 bc95 4b05 fb01 E...i...q...K...
> 0x0010: 4007 9d28 43d8 ae7a 006f 1bd1 6431 3a61 @..(C..z.o..d1:a
> 0x0020: 6432 3a69 6432 303a 8332 20c2 ddb3 8230 d2:id20:.2.....0
> 0x0030: 25a3 f895 f770 4872 33de c655 363a 7461 %....pHr3..U6:ta
> 0x0040: 7267 6574 3230 3a83 3577 2801 fe81 86f8 rget20:.5w(.....
> 0x0050: f895 0988 3e21 2ba8 5cbb ef65 313a 7139 ....>!+.\..e1:q9
> 0x0060: 3a66 696e 645f 6e6f 6465 313a 7434 3ac6 :find_node1:t4:.
> 0x0070: 6600 0031 3a76 343a 5554 4406 313a 7931 f..1:v4:UTD.1:y1
> 0x0080: 3a71 65 :qe
> 19:56:48.769898 IP (tos 0x0, ttl 126, id 28805, offset 0, flags [none],
> proto UDP (17), length 134)
> 64.7.157.14.51952 > 85.227.249.161.17368: [udp sum ok] UDP, length 106
> 0x0000: 4500 0086 7085 0000 7e11 9f47 4007 9d0e E...p...~..G at ...
> 0x0010: 55e3 f9a1 caf0 43d8 0072 599b 6431 3a61 U.....C..rY.d1:a
> 0x0020: 6432 3a69 6432 303a ae0f f983 1b3b 9050 d2:id20:.....;.P
> 0x0030: 154e a711 1285 9f1f ae7e b6d8 393a 696e .N.......~..9:in
> 0x0040: 666f 5f68 6173 6832 303a ee65 9b99 4dd3 fo_hash20:.e..M.
> 0x0050: b549 eff7 1380 c789 3721 b7d8 6cf0 6531 .I......7!..l.e1
> 0x0060: 3a71 393a 6765 745f 7065 6572 7331 3a74 :q9:get_peers1:t
> 0x0070: 343a f3dd 24ec 313a 7634 3a55 545a c331 4:..$.1:v4:UTZ.1
> 0x0080: 3a79 313a 7165 :y1:qe
> 19:56:48.886846 IP (tos 0x0, ttl 113, id 1623, offset 0, flags [none],
> proto UDP (17), length 545)
> 85.227.249.161.17368 > 64.7.157.14.51952: [udp sum ok] UDP, length 517
> 0x0000: 4500 0221 0657 0000 7111 14db 55e3 f9a1 E..!.W..q...U...
> 0x0010: 4007 9d0e 43d8 caf0 020d 509a 6431 3a72 @...C.....P.d1:r
> 0x0020: 6432 3a69 6432 303a ee65 96aa c8ea 9a88 d2:id20:.e......
> 0x0030: c6a4 3b19 df77 594a cc3c beda 353a 6e6f ..;..wYJ.<..5:no
> 0x0040: 6465 7332 3038 3aee 659b 9370 780c 96d6 des208:.e..px...
> 0x0050: 904f a63c fd07 649e 30c8 b218 0e68 7c62 .O.<..d.0....h|b
> 0x0060: caee 659f d1ff 85f9 b6dd 8a10 810f fb7e ..e............~
> 0x0070: 9af9 92b6 ad47 cce0 314e e1ee 65b0 be39 .....G..1N..e..9
> 0x0080: dbf0 e3a7 1375 5ae4 8d52 9c2c 5460 474e .....uZ..R.,T`GN
> 0x0090: 96e6 2f3d 24ee 65b7 bed6 abb3 8b80 5236 ../=$.e.......R6
> 0x00a0: 584b 520f e045 ba71 da55 f048 8c3d 13ee XKR..E.q.U.H.=..
> 0x00b0: 65b7 1bf3 21d3 fb77 e91a a0b1 c320 1300 e...!..w........
> 0x00c0: 7d47 4029 e36c 0e62 a1ee 65b4 142d 9346 }G@).l.b..e..-.F
> 0x00d0: 3cd5 2ded 807f 0389 0d88 822a f55c f498 <.-........*.\..
> 0x00e0: 477e 27ee 65ad 1baa 2929 ca7e 0d23 f42a G~'.e...)).~.#.*
> 0x00f0: 5593 13ce b237 115d 9f35 6462 cfee 65a0 U....7.].5db..e.
> 0x0100: 027d 47ce 9327 ea66 ba17 154f 3189 f88a .}G..'.f...O1...
> 0x0110: 9346 4827 376d ab35 3a74 6f6b 656e 3230 .FH'7m.5:token20
> 0x0120: 3a0c d489 cc13 caf7 fab0 2d4c fcb3 7e4a :.........-L..~J
> 0x0130: 7511 605d ef36 3a76 616c 7565 736c 363a u.`].6:valuesl6:
> 0x0140: 5590 0ddd 7df9 363a 5ac9 1476 a0f7 363a U...}.6:Z..v..6:
> 0x0150: 5615 0855 8164 363a dce9 b733 a161 363a V..U.d6:...3.a6:
> 0x0160: 40e7 99e3 6df9 363a 519f f786 d320 363a @...m.6:Q.....6:
> 0x0170: 516d 9591 f99f 363a 1b21 83b4 9fac 363a Qm....6:.!....6:
> 0x0180: 5e8a 4028 4b90 363a 5658 0ed4 7d34 363a ^.@(K.6:VX..}46:
> 0x0190: 5ac2 0148 7291 363a bc7e 101a 6099 363a Z..Hr.6:.~..`.6:
> 0x01a0: 7bd3 132d cfce 363a cbd5 1f5d 3b53 363a {..-..6:...];S6:
> 0x01b0: 56ab b68f d82f 363a 3ba7 9d7f cb20 363a V..../6:;.....6:
> 0x01c0: 1807 cbfe 8404 363a 76d0 219b 62c8 363a ......6:v.!.b.6:
> 0x01d0: 3cf2 4d85 ef3b 363a 7cb5 7406 5740 363a <.M..;6:|.t.W at 6:
> 0x01e0: 8ad9 84b3 b272 363a 1b21 0298 3832 363a .....r6:.!..826:
> 0x01f0: ae40 be72 f650 363a cb7b 5833 cac4 363a . at .r.P6:.{X3..6:
> 0x0200: 5218 cd7c 655f 6565 313a 7434 3af3 dd24 R..|e_ee1:t4:..$
> 0x0210: ec31 3a76 343a 5554 57e6 313a 7931 3a72 .1:v4:UTW.1:y1:r
> 0x0220: 65 e
> 19:57:18.618404 IP (tos 0x0, ttl 114, id 10249, offset 0, flags [none],
> proto UDP (17), length 58)
> 98.114.2.27.64505 > 64.7.157.19.17368: [udp sum ok] UDP, length 30
> 0x0000: 4500 003a 2809 0000 7211 df02 6272 021b E..:(...r...br..
> 0x0010: 4007 9d13 fbf9 43d8 0026 9422 4102 24f2 @.....C..&."A.$.
> 0x0020: 2977 5a59 0000 0000 0038 0000 0001 0000 )wZY.....8......
> 0x0030: 0008 0000 0000 0000 0000 ..........
> 19:57:21.296396 IP (tos 0x0, ttl 126, id 32556, offset 0, flags [none],
> proto UDP (17), length 182)
> 64.7.157.14.51952 > 85.227.249.161.17368: [udp sum ok] UDP, length 154
> 0x0000: 4500 00b6 7f2c 0000 7e11 9070 4007 9d0e E....,..~..p at ...
> 0x0010: 55e3 f9a1 caf0 43d8 00a2 c307 6431 3a61 U.....C.....d1:a
> 0x0020: 6432 3a69 6432 303a ae0f f983 1b3b 9050 d2:id20:.....;.P
> 0x0030: 154e a711 1285 9f1f ae7e b6d8 393a 696e .N.......~..9:in
> 0x0040: 666f 5f68 6173 6832 303a ee65 9b99 4dd3 fo_hash20:.e..M.
> 0x0050: b549 eff7 1380 c789 3721 b7d8 6cf0 343a .I......7!..l.4:
> 0x0060: 706f 7274 6935 3139 3532 6535 3a74 6f6b porti51952e5:tok
> 0x0070: 656e 3230 3a0c d489 cc13 caf7 fab0 2d4c en20:.........-L
> 0x0080: fcb3 7e4a 7511 605d ef65 313a 7131 333a ..~Ju.`].e1:q13:
> 0x0090: 616e 6e6f 756e 6365 5f70 6565 7231 3a74 announce_peer1:t
> 0x00a0: 343a 5943 0322 313a 7634 3a55 545a c331 4:YC."1:v4:UTZ.1
> 0x00b0: 3a79 313a 7165 :y1:qe
> 19:57:21.518164 IP (tos 0x0, ttl 113, id 3051, offset 0, flags [none],
> proto UDP (17), length 86)
> 85.227.249.161.17368 > 64.7.157.14.51952: [udp sum ok] UDP, length 58
> 0x0000: 4500 0056 0beb 0000 7111 1112 55e3 f9a1 E..V....q...U...
> 0x0010: 4007 9d0e 43d8 caf0 0042 1994 6431 3a72 @...C....B..d1:r
> 0x0020: 6432 3a69 6432 303a ee65 96aa c8ea 9a88 d2:id20:.e......
> 0x0030: c6a4 3b19 df77 594a cc3c beda 6531 3a74 ..;..wYJ.<..e1:t
> 0x0040: 343a 5943 0322 313a 7634 3a55 5457 e631 4:YC."1:v4:UTW.1
> 0x0050: 3a79 313a 7265 :y1:re
>
More information about the nsp-security
mailing list