Re: Weird Broadcast Traffic

From: Mike Tibor (tiborat_private)
Date: Thu Apr 19 2001 - 16:02:01 PDT

  • Next message: Patrick Harrison: "Re: Weird Broadcast Traffic"

    On Thu, 19 Apr 2001, Crist Clark wrote:
    
    > The last router before the machine logging these would not happen to
    > be a Cisco? Would not happen to have directed broadcasts enabled?
    
    Unfortnately I don't have any control over our routers, and don't know how
    they're configured.
    
    > This looks like someone trying to UDP-chargen "smurf" 194.72.6.103. Can
    > you traceroute to that address and see if the distance jives with your
    > observation of about 11 hops (which you consider close?).
    
    That's about what I thought.  I fired up tcpdump to see which MAC address
    was generating the traffic.  Although the udp flooding had already
    stopped, I did see some new traffic with a destination address of
    255.255.255.255, and a destination port of 21/tcp (one of the recent worms
    maybe?).  Tcpdump showed the MAC address for that stuff as being the
    router's interface on my network.
    
    Mike
    --
    Mike Tibor         Univ. of Alaska Anchorage    (907) 786-1001 voice
    Network Technician     Consortium Library         (907) 786-6050 fax
    tiborat_private       http://www.lib.uaa.alaska.edu/~tibor/
    http://www.lib.uaa.alaska.edu/~tibor/pgpkey  for PGP public key
    



    This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 10:15:16 PDT