Security Incidents mailing list archives
Re: UDP flood 28001-28003
From: peanutbadr () HOTMAIL COM (Andrew Badr)
Date: Wed, 8 Mar 2000 21:12:00 PST
These ports are used by servers for the very popular online game "Starsiege: Tribes". They may have some other use, but not that I know of.
From: George <greerga () ENTROPY MUC MUOHIO EDU> Reply-To: George <greerga () ENTROPY MUC MUOHIO EDU> To: INCIDENTS () SECURITYFOCUS COM Subject: UDP flood 28001-28003 Date: Wed, 8 Mar 2000 02:27:48 -0500 I don't remember anything close to this lately, nor do I see it in the past two months on a cursory check, so: Anyone know what it could've been? Sample lines: Packet log: input ACCEPT eth0 PROTO=17 128.61.56.54:28001 xxx.yyy.zzz.aaa:2578 L=439 S=0x00 I=34503 F=0x0000 T=115 (#22) Packet log: input ACCEPT eth0 PROTO=17 204.196.178.73:28001 xxx.yyy.zzz.aaa:2583 L=244 S=0x00 I=14741 F=0x0000 T=116 (#22) Packet log: input ACCEPT eth0 PROTO=17 158.155.0.12:28001 xxx.yyy.zzz.aaa:2581 L=854 S=0x00 I=57622 F=0x0000 T=117 (#22) From Mar 7 21:29:24 to Mar 8 01:19:33, I was flooded on ports 28001, 28002, 28003 with UDP traffic. The network addresses/ports were (uniq -c): 19 12.17.213.142:28001 19 12.17.213.142:28002 19 128.61.56.54:28001 19 129.118.17.85:28001 19 150.252.14.155:28001 19 158.155.0.12:28001 19 195.243.64.148:28001 19 199.4.33.201:28001 19 204.196.178.73:28001 19 207.152.153.10:28001 19 207.218.73.240:28001 19 207.250.241.242:28001 19 207.250.241.242:28002 19 207.250.241.242:28003 19 208.236.64.50:28001 19 209.242.64.134:28001 19 212.122.128.205:28001 11 24.131.25.82:28001 12 24.4.195.123:28001 12 24.4.82.52:28001 19 4.33.171.132:28001 17 4.33.171.135:28001 19 63.162.143.5:28001 19 63.162.143.6:28001 19 63.162.143.6:28002 19 63.224.4.144:28001 Hosts resolve to: 12.17.213.142: lm213142.svvi.net 128.61.56.54: r56h54.res.gatech.edu 129.118.17.85: blast.me.ttu.edu 150.252.14.155: Host not found. 158.155.0.12: ra.compgen.com 195.243.64.148: Host not found. 199.4.33.201: mr2-201.mrtc.org 204.196.178.73: Host not found, try again. 207.152.153.10: Host not found. 207.218.73.240: cod.dgweb.com 207.250.241.242: pc242.cp.inc.net 208.236.64.50: Host not found. 209.242.64.134: death.fraggershall.com 212.122.128.205: inferno.gamesurf.de 24.131.25.82: nic-c25-082.mw.mediaone.net 24.4.195.123: cx187565-b.mnchs1.ct.home.com 24.4.82.52: cx987407-a.ocnsd1.sdca.home.com 4.33.171.132: evrtwa1-ar3-171-132.dsl.gtei.net 4.33.171.135: evrtwa1-ar3-171-135.dsl.gtei.net 63.162.143.5: Host not found. 63.162.143.6: Host not found. 63.224.4.144: 63-224-4-144.customers.uswest.net The three I checked out were all Windows 95/98/NT. Two were pegged by queso guessing on a closed port and the third was running IIS/4.0. -George Greer
______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- Re: UDP flood 28001-28003 Rainer Weikusat (Mar 08)
- <Possible follow-ups>
- Re: UDP flood 28001-28003 Andrew Badr (Mar 08)
- Strange RPC? service entries. Tony Molloy (Mar 09)
- Re: Strange RPC? service entries. Pavel Kankovsky (Mar 13)
- Re: UDP flood 28001-28003 Ian A (Mar 09)
- Re: UDP flood 28001-28003 George (Mar 09)
- 12th Annual FIRST conference Elias Levy (Mar 11)
- odd icmp broadcast scan Jon Lewis (Mar 12)
- Strange RPC? service entries. Tony Molloy (Mar 09)