Security Incidents mailing list archives
Re: UDP Traceroutes?
From: "Portnoy, Gary" <gportnoy () BELENOSINC COM>
Date: Mon, 19 Mar 2001 11:44:32 -0500
Yes, sorry, forgot to mention that. TTL=1. Could this be similar to firewalk? But why look for UDP ports between 90 and 111. Any vulnerable services there? [**] IDS03 - MISC-Traceroute UDP [**] 03/17-17:39:15.881480 128.9.160.210:3675 -> a.b.c.4:96 UDP TTL:1 TOS:0x0 ID:33310 IpLen:20 DgmLen:38 Len: 18 11 11 BC DF B3 3A F2 33 0E 00 .....:.3.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] IDS03 - MISC-Traceroute UDP [**] 03/17-09:14:42.621177 192.88.114.82:48617 -> z.b.c.4:89 UDP TTL:1 TOS:0x0 ID:48627 IpLen:20 DgmLen:40 Len: 20 0A 0A 00 00 53 71 B3 3A 33 E3 0C 00 ....Sq.:3... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
-----Original Message----- From: Lampe, John W. [mailto:JWLAMPE () GAPAC com] Sent: Monday, March 19, 2001 11:38 AM To: Portnoy, Gary Cc: 'INCIDENTS () SECURITYFOCUS COM' Subject: RE: UDP Traceroutes? Hi Gary, Do you see ttl values=1 in the IP headers to imply that this is a traceroute-like scan? The fact that the dest ports are incrementing looks more like a port scan than a traceroute. John Lampe -----Original Message----- From: Portnoy, Gary [mailto:gportnoy () BELENOSINC COM] Sent: Monday, March 19, 2001 10:43 AM To: INCIDENTS () SECURITYFOCUS COM Subject: UDP Traceroutes? Hello, In the last few days i've noticed a few interesting anomailes which look like they could be a particular breed of traceroute, but I didn't want to just discount them as that. Traceroute's default destination is port UDP 33434 increasing by one with every packet sent. I've been seeing various sources tracerouting to me with destination ports below 111 and always terminating at 111. They usually reach me with dest port somewhere in the 90's and always increase till 111 (UDP). The sources are 128.9.160.210, 141.213.10.128, 192.88.114.82, 193.10.66.138. See below:
Current thread:
- UDP Traceroutes? Portnoy, Gary (Mar 19)
- <Possible follow-ups>
- Re: UDP Traceroutes? Lampe, John W. (Mar 19)
- Re: UDP Traceroutes? Portnoy, Gary (Mar 19)