[prev in list] [next in list] [prev in thread] [next in thread]
List: incidents
Subject: Re: Fragmented UDP and Multicast Addresses
From: Barrie Dempster <barrie () reboot-robot ! net>
Date: 2005-11-16 10:23:22
Message-ID: 1132136603.7692.7.camel () localhost ! localdomain
[Download RAW message or body]
On Tue, 2005-11-15 at 14:29 -0500, Chris Martin wrote:
> Hello list,
> Today at work we found some very strange behavior on one of our servers.
> This machine was spitting out several thousand fragmented UDP packets to
> an IP multicast address.
> The rate of packet sending was quite high, using ethereal for about 10
> minutes showed that of approximately 75,000 packets, almost 70,000 of
> them where these fragmented UDP packets. They were being sent to a
> 239.192.*.* which according to RFC 3171 is an Administratively Scoped
> Block of IPv4 Multicast.
>
> This really has us scratching our heads. I was wondering if anyone here
> had seen this kind of behavior before, or had any ideas as to what it
> could possibly be?
A first glance guess would be simple media multicasting software of some
description. Can you narrow it down beyond UDP and recognise the
protocol being used ? (or can you provide a packet dump so that we can).
Do you have any host based analysis of the incident ?
--
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue
"He who hingeth aboot, geteth hee-haw" Victor - Still Game
blog: http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca: https://www.cacert.org/index.php?id=3
["smime.p7s" (application/x-pkcs7-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic