Looks like they were trying to hit all systems on your network on the chargen port (TCP:19, character generator). Amin Tora, CISSP ePlus Technology http://www.eplus.com NASDAQ: PLUS -----Original Message----- From: Mike Tibor [mailto:tiborat_private] Sent: Wednesday, April 18, 2001 11:43 PM To: INCIDENTSat_private Subject: Weird Broadcast Traffic Anyone have any idea what might cause this: Apr 18 02:29:33 asimov kernel: Packet log: input DENY eth0 PROTO=17 194.72.6.103:43697 255.255.255.255:19 L=28 S=0x00 I=1 F=0x0000 T=234 (#1) Apr 18 02:29:33 asimov kernel: Packet log: input DENY eth0 PROTO=17 194.72.6.103:43697 255.255.255.255:19 L=28 S=0x00 I=1 F=0x0000 T=234 (#1) I have more (~13KB) at http://www.lib.uaa.alaska.edu/~tibor/broadcast.txt. I started seeing this stuff at about 02:30 this morning, and it lasted roughly 12 hours. There were 5 unique source addresses: one from sprintlink.net, two in Germany, and one from Italy, however all of the packets show a TTL of 234. Would this indicate the source addresses were likely spoofed, and the computer generating the traffic is relatively close (within a few hops)? I would greatly appreciate any hints or pointers anyone can give me. Thanks, Mike -- Mike Tibor Univ. of Alaska Anchorage (907) 786-1001 voice Network Technician Consortium Library (907) 786-6050 fax tiborat_private http://www.lib.uaa.alaska.edu/~tibor/ http://www.lib.uaa.alaska.edu/~tibor/pgpkey for PGP public key
This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 07:45:08 PDT