|
Security Incidents
mailing list archives
Re: UDP flood 28001-28003
From: rw () ANOTHER DE (Rainer Weikusat)
Date: Wed, 8 Mar 2000 15:15:30 +0100
George <greerga () ENTROPY MUC MUOHIO EDU> writes:
I don't remember anything close to this lately, nor do I see it in the past
two months on a cursory check, so:
Anyone know what it could've been?
Sample lines:
Packet log: input ACCEPT eth0 PROTO=17 128.61.56.54:28001
xxx.yyy.zzz.aaa:2578 L=439 S=0x00 I=34503 F=0x0000 T=115 (#22)
[...]
The three I checked out were all Windows 95/98/NT.
We've had the same effect over here solely to port 28800 for hours on
end (ISDN link, so this was rather expensive :-(). All machines that I
could lay my hands on were running something announcing itself als
'SMTP service listening' on port 25. I suppose this to be a stupid
misconfiguration of someting which possibly hit the net last november
(that's when it started). Some random document on the web I came
across a while back listed UDP 28800 as 'Windows key exchange', but I
don't know if there is a relation.
| Feb 29 17:30:06 tor kernel: Packet log: udp_in DENY ippp0
^^ CET
| PROTO=17 210.234.43.54:28800 62.157.28.182:28800
| L=32 S=0x00 I=23454 F=0x0000 T=107 (#5)
|
| Feb 29 17:30:16 tor kernel: Packet log: udp_in DENY ippp0
| PROTO=17 210.234.43.54:28800 62.157.28.182:28800
| L=32 S=0x00 I=54942 F=0x0000 T=107 (#5)
|
| Feb 29 17:30:26 tor kernel: Packet log: udp_in DENY ippp0
| PROTO=17 210.234.43.54:28800 62.157.28.182:28800
| L=32 S=0x00 I=23455 F=0x0000 T=107 (#5)
That's how it started last time, then continued for three hours.
Rainer
--
- sig lost -
 By Date 
By Thread
Current thread:
- Re: UDP flood 28001-28003 Rainer Weikusat (Mar 08)
| 
Intro
