Actually, it probably is kazaa. I watched a kazaa host attempt to connect to a few thousand other addresses, and actually established connections with a couple hundred. As with most p2p applications, it is extremely inefficient and relies on a large number of connections and ample bandwidth. Try watching a gnutella host do 45Mbps of outbound traffic in queries alone ;). Hope this helps, Nate On Thursday 28 June 2001 03:17 pm, you wrote: > Hi. > > I today installed a log watcher for our router logs - they show all > incoming and outgoing connections, complete with source and dest > ports, timestamps, packet count, and size - no IP flags or protocol > info, though. :( > > So, the watcher alerts us if any single host tries a large (defined > as > > >3000) number of connections within, say, half an hour. Most normal > > hosts > > don't go over about 1,000 connection in this time frame. Seems a > decent heuristic for a first check for evildoers, it won't pick up > "slow" scans and the like but it's a start. > > Which leads us to later tonight, when the watcher starts throwing > some alerts. Seems like one of our hosts (a win2k machine if we > believe nmap) is connecting to lots of other hosts, on port 1214. > Approx. 25,000 connections to distinct, random-looking hosts, for > that single port number, with a packet count of 3-4 packets each > connection. > > This has been going on over a time frame of 3 hours now, and no > signs of slowing down. Wish I could pull this thing off the net > myself - unfortunately this will have to wait till morning :( > > Now, port 1214 is reserved for what is called "Intelligent > Communications Protocol" on tcp and KAZAA on udp. I don't know what > the first one is, I do know that Kazaa is a file sharing thingy > though. > > The small packet count reminds one of a vulnerability scan. Has > there been any vulnerability known re: kazaa (the most probable > target)? > > > Thank you all in advance for your time, and sorry for making such a > lengthy post. > > > > -- > Vangelis Haniotakis - Network & Communications Centre, University of > Crete > > > > --------------------------------------------------------------------- >------- > > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com -- Nathan W. Labadie | nateat_private Sr. Security Specialist | 313/577.2126 Wayne State University | 313/577.5626 fax GPG Key: http://ucomm.wayne.edu/~nate/gpg_key.asc ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 14:23:34 PDT