Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » General Security Discussion » Strange UDP Flooding Attack

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Strange UDP Flooding Attack


Posted by veekoo on December 11, 2005 23:23:06

During past frew weeks I have encountered really strange UDP traffic on my firewall logs. Here are key numbers of one incident:

Source IP: LOTS (21 000 IP addresses in this case)
Source UDP: random
Dst IP: 192.58.44.69
Dst UDP port: 5557
Duration: 3 days
Packet count: 147 000

I have seen several of these. Those attacks last usually several hours, but it always has single target and fixed UPD port number. UDP port number is fixed for single destination, but is different for some other destination IP. UDP port 5557 seems to repeat, but I have also seen port numbers 7812, 5475, 5340, 5703 etc.

I cannot figure out what is going on. I cannot recognize packet protocol. UDP payload starts with "e9 03 41 01" but otherwise payload is not fixed. I include dump of one packet at end of this message.

Snort doesn't seem to reach on these packets. Does anyone know what is going on???

Vesa


Ethernet II, Src: Cisco_15:a5:fa (00:60:70:15:a5:fa), Dst: 3com_f2:f8:e7 (00:01:02:f2:f8:e7)
Destination: 3com_f2:f8:e7 (00:01:02:f2:f8:e7)
Source: Cisco_15:a5:fa (00:60:70:15:a5:fa)
Type: IP (0x0800)
Internet Protocol, Src: 61.134.109.42 (61.134.109.42), Dst: 192.58.44.69 (192.58.44.69)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x20 (DSCP 0x08: Class Selector 1; ECN: 0x00)
0010 00.. = Differentiated Services Codepoint: Class Selector 1 (0x08)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 85
Identification: 0x1180 (4480)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 104
Protocol: UDP (0x11)
Header checksum: 0xa9c8 [correct]
Source: 61.134.109.42 (61.134.109.42)
Destination: 192.58.44.69 (192.58.44.69)
User Datagram Protocol, Src Port: 22475 (22475), Dst Port: 5557 (5557)
Source port: 22475 (22475)
Destination port: 5557 (5557)
Length: 65
Checksum: 0xf32f [correct]
Data (57 bytes)

0000 00 01 02 f2 f8 e7 00 60 70 15 a5 fa 08 00 45 20 .......`p.....E
0010 00 55 11 80 00 00 68 11 a9 c8 3d 86 6d 2a c0 3a .U....h...=.m*.:
0020 2c 45 57 cb 15 b5 00 41 f3 2f e9 03 41 01 98 ab ,EW....A./..A...
0030 01 02 6c 2b 00 00 96 ec 08 0d 2e 28 3f 4c 8c 3e ..l+.......(?L.>
0040 e2 71 51 69 36 5f 08 ca 5c 94 52 3b fa 4b 94 75 .qQi6_..\.R;.K.u
0050 83 13 20 4a 2e f5 c0 a8 00 fa ec 1c 4f 0c 39 19 .. J........O.9.
0060 86 33 00 .3.


site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.