Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: UDP echo packets from 1 dec until present

UDP echo packets from 1 dec until present

From: Jose Nazario <jose_at_BIOCSERVER.BIOC.CWRU.EDU>
Date: Wed, 6 Dec 2000 12:46:59 -0500

hi all,

i've been receiving a handful of UDP echo packets on an email server since
december 1, consistently from the same IP address. so far it hasn't caused
any performance problems (ie no floods), and they're being blocked. i'm at
a loss, though, to figure out why this trickle of packets would be found.
it does't make sense from a Firewalk point of view, as most sites block
echo (both tcp and udp) on their borders. it doesn't make sense from the
standpoint of detecting hosts, either, for that very reason. and the
trickle seems like a very poorly done DDoS, which seems to rule that out
(unless we assume super stupid attackers).

any input would be welcome. these are the only connections i have from
that IP (from xinetd logs):

00/12/1_at_10:44:08: FAIL: echo-dgram address from=169.254.97.28
00/12/1_at_11:54:48: FAIL: echo-dgram address from=169.254.97.28
00/12/1_at_14:59:32: FAIL: echo-dgram address from=169.254.97.28
00/12/1_at_15:09:58: FAIL: echo-dgram address from=169.254.97.28
00/12/1_at_15:54:13: FAIL: echo-dgram address from=169.254.97.28
00/12/1_at_16:09:54: FAIL: echo-dgram address from=169.254.97.28
00/12/1_at_16:54:42: FAIL: echo-dgram address from=169.254.97.28
00/12/1_at_18:14:09: FAIL: echo-dgram address from=169.254.97.28
00/12/2_at_10:13:35: FAIL: echo-dgram address from=169.254.97.28
00/12/2_at_10:20:29: FAIL: echo-dgram address from=169.254.97.28
00/12/2_at_11:37:33: FAIL: echo-dgram address from=169.254.97.28
00/12/2_at_16:14:34: FAIL: echo-dgram address from=169.254.97.28
00/12/2_at_21:03:30: FAIL: echo-dgram address from=169.254.97.28
00/12/3_at_15:49:36: FAIL: echo-dgram address from=169.254.97.28
00/12/4_at_09:07:02: FAIL: echo-dgram address from=169.254.97.28
00/12/4_at_09:17:13: FAIL: echo-dgram address from=169.254.97.28
00/12/4_at_13:41:22: FAIL: echo-dgram address from=169.254.97.28
00/12/5_at_08:06:59: FAIL: echo-dgram address from=169.254.97.28
00/12/5_at_09:55:35: FAIL: echo-dgram address from=169.254.97.28
00/12/5_at_11:37:08: FAIL: echo-dgram address from=169.254.97.28
00/12/5_at_12:25:36: FAIL: echo-dgram address from=169.254.97.28
00/12/5_at_13:00:57: FAIL: echo-dgram address from=169.254.97.28
00/12/5_at_13:15:30: FAIL: echo-dgram address from=169.254.97.28
00/12/5_at_15:42:36: FAIL: echo-dgram address from=169.254.97.28

____________________________
jose nazario jose_at_cwru.edu
                           PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)
Received on Dec 09 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos