From owner-freebsd-security Tue Sep 14 2:38:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from mx2.imaginet.fr (artemis.imaginet.fr [195.68.75.24]) by hub.freebsd.org (Postfix) with ESMTP id D38F414D5A for ; Tue, 14 Sep 1999 02:38:02 -0700 (PDT) (envelope-from michael.hallgren@fisystem.fr) Received: from corpo01.imaginet.fr (corpo01.imaginet.fr [195.68.75.105]) by mx2.imaginet.fr (8.9.3/8.8.8) with ESMTP id LAA18876; Tue, 14 Sep 1999 11:37:34 +0200 (MET DST) Received: from roam (janus.fisystem.fr [195.68.32.60]) by corpo01.imaginet.fr (8.8.8/8.8.8) with SMTP id LAA25673; Tue, 14 Sep 1999 11:37:15 +0200 (MET DST) Message-ID: <00e501befe94$9ec3ce80$b8014b0a@fisystem.fr> From: "Michael Hallgren" To: "Christoph Kukulies" , References: <199909140852.KAA40269@gil.physik.rwth-aachen.de> Subject: Re: udp ports (scan?) Date: Tue, 14 Sep 1999 11:36:27 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-Mimeole: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org no portscan; merely normal name lookup request-answer cheers mh > > I was observing packet loss in our local network and > while first blaming general network overload I found that > the packet loss concentrates on a FreeBSD (3.2) machine > while pinging at other hosts in the same network > doesn't show the packet loss. During further examining > this I started tcpdump on another machine with > > tcpdump host htobecontrld and ip proto ICMP > > and running it over one day or so I caught some icmp packets > > htobecontrld is the host I was examining > ournameserver was obviously the source of some requests sent to > my host-to-be-controlled which answered with the 'port unreachable' > messages. > > Now I'm wondering what kind of program running on the nameserver > (which is not under my direct control) could cause these requests > to be launched? > > > tcpdump: listening on de0 > 13:53:51.256654 htobecontrld > ournameserver: icmp: htobecontrld udp port 3151 unreachable > 14:04:26.928073 htobecontrld > ournameserver: icmp: htobecontrld udp port 3190 unreachable > 14:07:50.840184 htobecontrld > ournameserver: icmp: htobecontrld udp port 3199 unreachable > 14:11:15.185485 htobecontrld > ournameserver: icmp: htobecontrld udp port 3202 unreachable > 14:21:37.183022 htobecontrld > ournameserver: icmp: htobecontrld udp port 3221 unreachable > 14:21:47.414354 htobecontrld > ournameserver: icmp: htobecontrld udp port 3227 unreachable > 14:33:02.343351 htobecontrld > ournameserver: icmp: htobecontrld udp port 3273 unreachable > 14:34:02.851694 htobecontrld > ournameserver: icmp: htobecontrld udp port 3282 unreachable > 14:36:45.415034 htobecontrld > ournameserver: icmp: htobecontrld udp port 3293 unreachable > 15:13:09.697960 htobecontrld > ournameserver: icmp: htobecontrld udp port 3385 unreachable > 15:13:09.697960 htobecontrld > ournameserver: icmp: htobecontrld udp port 3385 unreachable > 15:20:09.660322 htobecontrld > ournameserver: icmp: htobecontrld udp port 3412 unreachable > 15:31:05.104729 htobecontrld > ournameserver: icmp: htobecontrld udp port 3442 unreachable > 15:36:29.514619 htobecontrld > ournameserver: icmp: htobecontrld udp port 3462 unreachable > 15:41:01.920259 htobecontrld > ournameserver: icmp: htobecontrld udp port 3476 unreachable > 15:41:15.251266 htobecontrld > ournameserver: icmp: htobecontrld udp port 3477 unreachable > 15:45:08.414133 htobecontrld > ournameserver: icmp: htobecontrld udp port 3515 unreachable > 15:45:29.257732 htobecontrld > ournameserver: icmp: htobecontrld udp port 3529 unreachable > 15:49:52.837334 htobecontrld > ournameserver: icmp: htobecontrld udp port 3580 unreachable > 16:18:31.819020 htobecontrld > ournameserver: icmp: htobecontrld udp port 3737 unreachable > 16:32:39.182636 htobecontrld > ournameserver: icmp: htobecontrld udp port 3774 unreachable > 16:32:50.888815 htobecontrld > ournameserver: icmp: htobecontrld udp port 3775 unreachable > 16:41:31.150820 htobecontrld > ournameserver: icmp: htobecontrld udp port 3832 unreachable > 16:58:50.989253 htobecontrld > ournameserver: icmp: htobecontrld udp port 3917 unreachable > 16:58:54.683655 htobecontrld > ournameserver: icmp: htobecontrld udp port 3918 unreachable > 16:59:18.852931 htobecontrld > ournameserver: icmp: htobecontrld udp port 3926 unreachable > 17:04:28.053373 htobecontrld > ournameserver: icmp: htobecontrld udp port 3968 unreachable > 17:05:20.889957 htobecontrld > ournameserver: icmp: htobecontrld udp port 3991 unreachable > 17:05:25.538210 htobecontrld > ournameserver: icmp: htobecontrld udp port 3987 unreachable > 17:05:29.836622 htobecontrld > ournameserver: icmp: htobecontrld udp port 3996 unreachable > 17:17:36.700988 htobecontrld > ournameserver: icmp: htobecontrld udp port 4102 unreachable > 17:17:36.740919 htobecontrld > ournameserver: icmp: htobecontrld udp port 4103 unreachable > 17:31:44.809722 htobecontrld > ournameserver: icmp: htobecontrld udp port 4167 unreachable > 17:32:38.966678 htobecontrld > ournameserver: icmp: htobecontrld udp port 4178 unreachable > 17:39:54.678230 htobecontrld > ournameserver: icmp: htobecontrld udp port 4196 unreachable > 17:59:49.360598 htobecontrld > ournameserver: icmp: htobecontrld udp port 4337 unreachable > 18:10:06.141498 htobecontrld > ournameserver: icmp: htobecontrld udp port 4393 unreachable > 18:10:14.018915 htobecontrld > ournameserver: icmp: htobecontrld udp port 4397 unreachable > 18:22:38.244695 htobecontrld > ournameserver: icmp: htobecontrld udp port 4475 unreachable > 18:28:14.111106 htobecontrld > ournameserver: icmp: htobecontrld udp port 4519 unreachable > 18:36:13.179419 htobecontrld > ournameserver: icmp: htobecontrld udp port 4596 unreachable > 18:37:22.693492 htobecontrld > ournameserver: icmp: htobecontrld udp port 4604 unreachable > 18:54:54.669616 htobecontrld > ournameserver: icmp: htobecontrld udp port 4691 unreachable > 18:54:57.236363 htobecontrld > ournameserver: icmp: htobecontrld udp port 4694 unreachable > 18:55:03.128219 htobecontrld > ournameserver: icmp: htobecontrld udp port 4705 unreachable > 19:00:34.078595 htobecontrld > ournameserver: icmp: htobecontrld udp port 4716 unreachable > 19:05:12.453255 htobecontrld > ournameserver: imp: htobecontrld udp port 4728 unreachable > 19:16:35.928587 htobecontrld > ournameserver: icmp: htobecontrld udp port 4800 unreachable > 19:43:39.675290 htobecontrld > ournameserver: icmp: htobecontrld udp port 4874 unreachable > 20:28:06.247516 htobecontrld > ournameserver: icmp: htobecontrld udp port 1065 unreachable > 20:41:18.205457 htobecontrld > ournameserver: icmp: htobecontrld udp port 1281 unreachable > 20:45:42.047075 htobecontrld > ournameserver: icmp: htobecontrld udp port 1325 unreachable > 20:49:29.804008 htobecontrld > ournameserver: icmp: htobecontrld udp port 1344 unreachable > 20:59:06.544939 htobecontrld > ournameserver: icmp: htobecontrld udp port cadsi-lm unreachable > 21:03:36.939149 htobecontrld > ournameserver: icmp: htobecontrld udp port symplex unreachable > 21:11:16.690970 htobecontrld > ournameserver: icmp: htobecontrld udp port 1583 unreachable > 21:37:14.350186 htobecontrld > ournameserver: icmp: htobecontrld udp port 1716 unreachable > 21:38:03.652302 htobecontrld > ournameserver: icmp: htobecontrld udp port 1741 unreachable > 21:46:10.942866 htobecontrld > ournameserver: icmp: htobecontrld udp port 1817 unreachable > 22:05:50.686555 htobecontrld > ournameserver: icmp: htobecontrld udp port raid-cd unreachable > 22:16:33.673137 htobecontrld > ournameserver: icmp: htobecontrld udp port 2071 unreachable > 22:21:43.078998 htobecontrld > ournameserver: icmp: htobecontrld udp port 2100 unreachable > 22:28:55.425618 htobecontrld > ournameserver: icmp: htobecontrld udp port 2139 unreachable > 22:31:33.480595 htobecontrld > ournameserver: icmp: htobecontrld udp port 2160 unreachable > 23:02:55.916526 htobecontrld > ournameserver: icmp: htobecontrld udp port 2394 unreachable > 23:18:58.826335 htobecontrld > ournameserver: icmp: htobecontrld udp port 2482 unreachable > 23:31:48.014578 htobecontrld > ournameserver: icmp: htobecontrld udp port 2519 unreachable > 23:31:52.421756 htobecontrld > ournameserver: icmp: htobecontrld udp port 2527 unreachable > 23:59:28.936152 htobecontrld > ournameserver: icmp: htobecontrld udp port 2603 unreachable > 23:59:31.216532 htobecontrld > ournameserver: icmp: htobecontrld udp port 2601 unreachable > 00:58:26.300246 htobecontrld > ournameserver: icmp: htobecontrld udp port 2777 unreachable > 04:51:24.263385 htobecontrld > ournameserver: icmp: htobecontrld udp port 3580 unreachable > 06:41:34.873900 htobecontrld > ournameserver: icmp: htobecontrld udp port 3811 unreachable > 06:42:22.889204 htobecontrld > ournameserver: icmp: htobecontrld udp port 3810 unreachable > 07:11:18.000575 htobecontrld > ournameserver: icmp: htobecontrld udp port 3882 unreachable > 07:11:23.115720 htobecontrld > ournameserver: icmp: htobecontrld udp port 3883 unreachable > 07:12:46.306956 htobecontrld > ournameserver: icmp: htobecontrld udp port 3885 unreachable > 08:56:33.120855 htobecontrld > ournameserver: icmp: htobecontrld udp port 4070 unreachable > 09:14:47.545636 htobecontrld > openview.rz.RWTH-Aachen.DE: icmp: htobecontrld udp port snmp unreachable > 09:14:47.572354 htobecontrld > openview.rz.RWTH-Aachen.DE: icmp: htobecontrld udp port snmp unreachable > 09:15:52.561994 htobecontrld > ournameserver: icmp: htobecontrld udp port 4102 unreachable > 09:20:32.254100 htobecontrld > ournameserver: icmp: htobecontrld udp port nuts_dem unreachable > 09:20:37.859208 htobecontrld > ournameserver: icmp: htobecontrld udp port nuts_bootp unreachable > 09:20:47.399799 htobecontrld > ournameserver: icmp: htobecontrld udp port 4134 unreachable > > > -- > Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message