Re: Fragmented UDP and Multicast Addresses

[Barrie Dempster <barrie () reboot-robot net>]

On Tue, 2005-11-15 at 14:29 -0500, Chris Martin wrote:
> Hello list,
> Today at work we found some very strange behavior on one of our servers.
> This machine was spitting out several thousand fragmented UDP packets to
> an IP multicast address.
> The rate of packet sending was quite high, using ethereal for about 10
> minutes showed that of approximately 75,000 packets, almost 70,000 of
> them where these fragmented UDP packets.  They were being sent to a
> 239.192.*.* which according to RFC 3171 is an Administratively Scoped
> Block of IPv4 Multicast.
>
> This really has us scratching our heads.  I was wondering if anyone here
> had seen this kind of behavior before, or had any ideas as to what it
> could possibly be?


A first glance guess would be simple media multicasting software of some
description. Can you narrow it down beyond UDP and recognise the
protocol being used ? (or can you provide a packet dump so that we can).

Do you have any host based analysis of the incident ?


-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

blog:  http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca:    https://www.cacert.org/index.php?id=3

Attachment: smime.p7s
Description: