I'm taking a wild guess here, but the only thing I could think it could be is a DOS attack - the data doesnt seem to do anything, or send any useful data - many standard distribution DOS and DDOS attack tools just fire "junk" data at the target, perhaps this is what is happening to your client... Hamish Stanaway -= KoRe WoRkS =- Internet Security Owner/Operator http://www.koreworks.com/ New Zealand Is your box REALLY secure? >From: Arnold Yancha <alyanchaat_private> >To: incidentsat_private >Subject: UDP flood on port 2001 >Date: Tue, 10 Sep 2002 11:05:20 +0800 >Hi, > >Anyone seen this kind of UDP traffic ? A client has been complaining that >their bandwidth has been eaten significantly by this type of traffic. I >haven't seen any solid reference to it in google. Maybe somebody on this >list >can shed some light on this. Thanks. > >-arnold > > 1 0.000000 63.217.26.35 -> xxx.xxx.xxx.235 UDP Source port: 2001 >Destination port: 2001 > >0000 00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00 .........4( ..E. >0010 00 44 45 52 00 00 37 11 8a 18 3f d9 1a 23 xx xx .DER..7...?..#.W >0020 xx eb 07 d1 07 d1 00 30 93 14 26 00 00 00 73 bd .......0..&...s. >0030 ff 37 28 00 00 00 9e ad cf f4 05 00 00 00 00 00 .7(............. >0040 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 ..t............. >0050 00 00 .. > > 2 0.003603 63.217.26.35 -> xxx.xxx.xxx.234 UDP Source port: 2001 >Destination port: 2001 > >0000 00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00 .........4( ..E. >0010 00 48 45 da 00 00 37 11 89 8d 3f d9 1a 23 xx xx .HE...7...?..#.W >0020 xx ea 07 d1 07 d1 00 34 ed b5 26 00 00 00 16 65 .......4..&....e >0030 5e 09 2c 00 00 00 b1 35 dd 85 05 00 00 00 00 00 ^.,....5........ >0040 00 00 71 00 00 00 00 00 00 00 04 00 00 00 00 00 ..q............. >0050 00 00 c3 da ba ea ...... > > 3 0.007376 63.217.26.26 -> xxx.xxx.xxx.235 UDP Source port: 2001 >Destination port: 2001 > >0000 00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00 .........4( ..E. >0010 00 44 ae 8c 00 00 37 11 20 e7 3f d9 1a 1a xx xx .D....7. .?....W >0020 xx eb 07 d1 07 d1 00 30 13 40 26 00 00 00 bb 78 .......0.@&....x >0030 27 4a 28 00 00 00 4e da 2f d8 05 00 00 00 00 00 'J(...N./....... >0040 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 ..t............. >0050 00 00 .. > > 4 0.010812 63.217.26.26 -> xxx.xxx.xxx.235 UDP Source port: 2001 >Destination port: 2001 > >0000 00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00 .........4( ..E. >0010 00 44 ae bc 00 00 37 11 20 b7 3f d9 1a 1a xx xx .D....7. .?....W >0020 xx eb 07 d1 07 d1 00 30 67 38 26 00 00 00 9d 46 .......0g8&....F >0030 ea 7d 28 00 00 00 16 30 6f 88 05 00 00 00 00 00 .}(....0o....... >0040 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 ..t............. >0050 00 00 .. > > 5 0.013111 63.217.26.35 -> xxx.xxx.xxx.235 UDP Source port: 2001 >Destination port: 2001 > >0000 00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00 .........4( ..E. >0010 00 48 45 ec 00 00 37 11 89 7a 3f d9 1a 23 xx xx .HE...7..z?..#.W >0020 xx eb 07 d1 07 d1 00 34 ed b4 26 00 00 00 16 65 .......4..&....e >0030 5e 09 2c 00 00 00 b1 35 dd 85 05 00 00 00 00 00 ^.,....5........ >0040 00 00 71 00 00 00 00 00 00 00 04 00 00 00 00 00 ..q............. >0050 00 00 c3 da ba ea ...... > > 6 0.013115 63.217.26.26 -> xxx.xxx.xxx.234 UDP Source port: 2001 >Destination port: 2001 > >0000 00 00 00 00 00 01 00 03 fe 34 28 20 08 00 45 00 .........4( ..E. >0010 00 48 b0 24 00 00 37 11 1f 4c 3f d9 1a 1a xx xx .H.$..7..L?....W >0020 xx ea 07 d1 07 d1 00 34 ed be 26 00 00 00 16 65 .......4..&....e >0030 5e 09 2c 00 00 00 b1 35 dd 85 05 00 00 00 00 00 ^.,....5........ >0040 00 00 71 00 00 00 00 00 00 00 04 00 00 00 00 00 ..q............. >0050 00 00 c3 da ba ea ...... > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com Hamish Stanaway -= KoRe WoRkS =- Internet Security Owner/Operator http://www.koreworks.com/ New Zealand Is your box REALLY secure? _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 11 2002 - 16:31:10 PDT