Security Incidents mailing list archives
RE: UDP Port Sweep question
From: Jack McCarthy <security.lists () jackmccarthy com>
Date: Wed, 29 Dec 2004 11:57:55 -0800 (PST)
Looks like you're seeing typical traceroute traffic. Google for traceroute and those udp port #'s and you should get some good results. Here are just two results from the search: http://www.freesoft.org/CIE/Topics/54.htm http://preview.samspade.org/d/faq#traceroute-luser -Jack --- Billy Dodson <billy () pmm-i com> wrote:
Here is some more info regarding the port sweeps. The port the client is being hit on seems to vary. The client is being hit on the same 8 port range from each IP port 33434-33460. All 3 sensors from the 3 different clients show the same destination port range. The sensors are cisco IDS sensors and I am unsure as to how to get the actual packet from the event. -----Original Message----- From: Don Parker [mailto:dparker () bridonsecurity com] Sent: Tuesday, December 28, 2004 5:12 PM To: incidents () securityfocus com; 'Billy Dodson' Subject: Re: UDP Port Sweep question Hello Billy, Might I suggest you post some of the packets here? It is hard to make judgement calls without something to look at. Just sanitize the ip's prior to posting the packets. Cheers, Don -------------------------------------------------------------- Don Parker, GCIA GCIH Intrusion Detection & Incident Handling Specialist Bridon Security & Training Services http://www.bridonsecurity.com voice: 1-613-302-2910 -------------------------------------------------------------- On Tue, 28 Dec 2004 22:31 , 'Billy Dodson' <CraftedPacket () securitynerds org> sent:I monitor 3 different sensors which are continuously pounded withnetworkreconnaissance of all types. These sensors all belong to financial institutions. One thing that jumped out at me are "UDP Port Sweeps" events from about 15 different IP addresses which all belong to eitherIBMor Sequent (which was bought by IBM). I see these same IP addressesdoingthe same thing on all three sensors. I have contacted the clients and they do not deal with IBM or Sequent in any way. Are there legitimatetypetraffic that would cause these events to fire? It is odd to me that I see themonall 3 sensors for 3 different companies but all happen to be in the financial industry. Thanks in advance for your input.
Current thread:
- UDP Port Sweep question Billy Dodson (Dec 28)
- Re: UDP Port Sweep question Tim (Dec 29)
- Re: UDP Port Sweep question Kyle Maxwell (Dec 29)
- Re: UDP Port Sweep question Ron (Dec 29)
- <Possible follow-ups>
- Re: UDP Port Sweep question Don Parker (Dec 29)
- RE: UDP Port Sweep question Billy Dodson (Dec 29)
- RE: UDP Port Sweep question David Gillett (Dec 29)
- Re: UDP Port Sweep question Tim (Dec 29)
- RE: UDP Port Sweep question Jack McCarthy (Dec 29)
- RE: UDP Port Sweep question Benjamin Franz (Dec 29)
- RE: UDP Port Sweep question Colby DeRodeff (Dec 29)
- Re: UDP Port Sweep question Francesca Smith (Dec 30)