Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

UDP destination port 0 probes

From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Mon, 17 Nov 2003 21:09:07 -0500
We had an incident of several hundred of packets like the one below
coming in, nearly simultaneously from multiple sources.  My guess is
that most of the sources are spoofed.  It swept several class C networks
in a few minutes.  Targets appear to be valid name servers.  The same
spoofed IP's were used as sources on each scanned class C.

Is this known traffic of some sort?  Is there a new worm running around?
Have I missed something everyone else already knows about?

Generated by ACID v0.9.6b23 on Mon, 17 Nov 2003 21:04:14 -0500

------------------------------------------------------------------------
------
#(3 - 356) [2003-11-17 19:53:50] nessus[cve/CVE-1999-0675]
[icat/CVE-1999-0675] [snort/525]  BAD-TRAFFIC udp port 0 traffic

IPv4: 66.119.33.133 -> X.X.X.112
      hlen=5 TOS=0 dlen=64 ID=45750 flags=0 offset=0 TTL=1 chksum=25982
UDP:  port=53 -> dport: 0 len=44
Payload:  length = 36

000 : B2 B6 80 81 00 00 00 00 00 00 00 00 00 00 00 00   ................
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
020 : 00 00 00 00                                       ....
------------------------------------------------------------------------
------


**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  the 
sender immediately and do not disclose the contents to anyone or make copies.

** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: