Re: Weird Broadcast Traffic

From: Amin Tora (Aminat_private)
Date: Wed Apr 18 2001 - 21:31:37 PDT

  • Next message: Anders Thulin: "Re: non-routable Scan?"

    Looks like they were trying to hit all systems on your network on the
    chargen port (TCP:19, character generator).
    
    
    Amin Tora, CISSP
    ePlus Technology
    http://www.eplus.com
    NASDAQ: PLUS
    
    -----Original Message-----
    From: Mike Tibor [mailto:tiborat_private]
    Sent: Wednesday, April 18, 2001 11:43 PM
    To: INCIDENTSat_private
    Subject: Weird Broadcast Traffic
    
    
    Anyone have any idea what might cause this:
    
    Apr 18 02:29:33 asimov kernel: Packet log: input DENY eth0 PROTO=17
    194.72.6.103:43697 255.255.255.255:19 L=28 S=0x00 I=1 F=0x0000 T=234 (#1)
    Apr 18 02:29:33 asimov kernel: Packet log: input DENY eth0 PROTO=17
    194.72.6.103:43697 255.255.255.255:19 L=28 S=0x00 I=1 F=0x0000 T=234 (#1)
    
    I have more (~13KB) at http://www.lib.uaa.alaska.edu/~tibor/broadcast.txt.
    
    I started seeing this stuff at about 02:30 this morning, and it lasted
    roughly 12 hours.  There were 5 unique source addresses: one from
    sprintlink.net, two in Germany, and one from Italy, however all of the
    packets show a TTL of 234.  Would this indicate the source addresses were
    likely spoofed, and the computer generating the traffic is relatively
    close (within a few hops)?
    
    I would greatly appreciate any hints or pointers anyone can give me.
    
    Thanks,
    Mike
    --
    Mike Tibor         Univ. of Alaska Anchorage    (907) 786-1001 voice
    Network Technician     Consortium Library         (907) 786-6050 fax
    tiborat_private       http://www.lib.uaa.alaska.edu/~tibor/
    http://www.lib.uaa.alaska.edu/~tibor/pgpkey  for PGP public key
    



    This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 07:45:08 PDT