[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Re: Fragmented UDP and Multicast Addresses
From:       Barrie Dempster <barrie () reboot-robot ! net>
Date:       2005-11-16 10:23:22
Message-ID: 1132136603.7692.7.camel () localhost ! localdomain
[Download RAW message or body]


On Tue, 2005-11-15 at 14:29 -0500, Chris Martin wrote:
> Hello list,
> Today at work we found some very strange behavior on one of our servers.
> This machine was spitting out several thousand fragmented UDP packets to
> an IP multicast address.
> The rate of packet sending was quite high, using ethereal for about 10
> minutes showed that of approximately 75,000 packets, almost 70,000 of
> them where these fragmented UDP packets.  They were being sent to a
> 239.192.*.* which according to RFC 3171 is an Administratively Scoped
> Block of IPv4 Multicast.
> 
> This really has us scratching our heads.  I was wondering if anyone here
> had seen this kind of behavior before, or had any ideas as to what it
> could possibly be?


A first glance guess would be simple media multicasting software of some
description. Can you narrow it down beyond UDP and recognise the
protocol being used ? (or can you provide a packet dump so that we can).

Do you have any host based analysis of the incident ?


-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

blog:  http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca:    https://www.cacert.org/index.php?id=3

["smime.p7s" (application/x-pkcs7-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]