Hi All, I have gone through the archives and searched the 'Net, but am unable to locate any further information with regards to these strange packets - perhaps you fine people could be of assistance. :-) 1. I was called in to analyse a customer's network. They couldn't understand why network connections kept failing and machines dropped out the network. They eventually found that by removing the MS-Proxy server from the network, the problems were 'resolved'. 2. They rebuilt the server using a different machine and clean media from original CDs. A day and a half later, the problem re-appeared - again corrected by unplugging the machine from the network. 3. I analysed the machine, but found nothing obvious. I decided to sniff the TCP/IP traffic from the Proxy server and found: 3.1 Intermittently, 5 UDP packets were sent with Source port of 770 and consecutive destination ports, with a directed-broadcast address as the destination. 3.2 The starting destination port number would be different for each burst of packets. For example, first burst would have destination ports as follows: 63451, 63452, 63453, 63454, 63455; the next burst would be 37201, 37202, 37203, 37204, 37205. 3.3 The payload was always 28 bytes. 3.4 I noticed that the packets were always sent after a legitimate UDP packet had been sent by the host, and the destination address of these UDP packets was always that of the legitimate UDP packet. For example, if a BROWSER announcement was sent out to the directed-broadcast address, then the UDP:770 packets would be sent out (to the same broadcast address). [I later found that this pattern also applied when the destination was a specific IP address - the UDP:770 packets were also fired off at the specific IP address.] 3.5 When the proxy is plugged on to the network, I noticed that it ARP'ed for it's own IP address, after which a barrage of packets hit the network. (I was sniffing a switched network, plugged in to a hub - so only saw local traffic and the broadcast traffic.) After a few minutes, machines started to drop off the network! 3.6 I had baselined the network prior to plugging the proxy in and found no evidence of these strange UDP packets - they only started when the box was plugged in to the network. Also, as soon as the box was unplugged, UDP activity appeared to cease - almost immediately! 3.7 Some of the machines appeared to have a 'conversation' between themselves and the broadcast address. This is pretty much what I have so far. (I don't think that it makes any difference - but you may like to know that the proxy server was acting as a caching proxy and sits behind a firewall.) I would appreciate any comments / suggestions, and useful insights. If you require any further information, let me know and I will see what I can do. Kind regards, Byrne Ghavalas ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 25 2002 - 15:10:23 PST