From owner-freebsd-security Tue Sep 14 2:42:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from mx2.imaginet.fr (artemis.imaginet.fr [195.68.75.24]) by hub.freebsd.org (Postfix) with ESMTP id A66B514D5A for ; Tue, 14 Sep 1999 02:42:04 -0700 (PDT) (envelope-from michael.hallgren@fisystem.fr) Received: from corpo01.imaginet.fr (corpo01.imaginet.fr [195.68.75.105]) by mx2.imaginet.fr (8.9.3/8.8.8) with ESMTP id LAA19127; Tue, 14 Sep 1999 11:41:36 +0200 (MET DST) Received: from roam (janus.fisystem.fr [195.68.32.60]) by corpo01.imaginet.fr (8.8.8/8.8.8) with SMTP id LAA26353; Tue, 14 Sep 1999 11:41:17 +0200 (MET DST) Message-ID: <010a01befe95$2e8c9560$b8014b0a@fisystem.fr> From: "Michael Hallgren" To: "Michael Hallgren" , "Christoph Kukulies" , References: <199909140852.KAA40269@gil.physik.rwth-aachen.de> <00e501befe94$9ec3ce80$b8014b0a@fisystem.fr> Subject: Re: udp ports (scan?) Date: Tue, 14 Sep 1999 11:40:29 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-Mimeole: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > no portscan; merely normal name lookup request-answer w/o answer ;) mh > > cheers > > mh > > > > > I was observing packet loss in our local network and > > while first blaming general network overload I found that > > the packet loss concentrates on a FreeBSD (3.2) machine > > while pinging at other hosts in the same network > > doesn't show the packet loss. During further examining > > this I started tcpdump on another machine with > > > > tcpdump host htobecontrld and ip proto ICMP > > > > and running it over one day or so I caught some icmp packets > > > > htobecontrld is the host I was examining > > ournameserver was obviously the source of some requests sent to > > my host-to-be-controlled which answered with the 'port unreachable' > > messages. > > > > Now I'm wondering what kind of program running on the nameserver > > (which is not under my direct control) could cause these requests > > to be launched? > > > > > > tcpdump: listening on de0 > > 13:53:51.256654 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3151 unreachable > > 14:04:26.928073 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3190 unreachable > > 14:07:50.840184 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3199 unreachable > > 14:11:15.185485 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3202 unreachable > > 14:21:37.183022 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3221 unreachable > > 14:21:47.414354 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3227 unreachable > > 14:33:02.343351 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3273 unreachable > > 14:34:02.851694 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3282 unreachable > > 14:36:45.415034 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3293 unreachable > > 15:13:09.697960 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3385 unreachable > > 15:13:09.697960 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3385 unreachable > > 15:20:09.660322 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3412 unreachable > > 15:31:05.104729 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3442 unreachable > > 15:36:29.514619 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3462 unreachable > > 15:41:01.920259 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3476 unreachable > > 15:41:15.251266 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3477 unreachable > > 15:45:08.414133 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3515 unreachable > > 15:45:29.257732 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3529 unreachable > > 15:49:52.837334 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3580 unreachable > > 16:18:31.819020 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3737 unreachable > > 16:32:39.182636 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3774 unreachable > > 16:32:50.888815 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3775 unreachable > > 16:41:31.150820 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3832 unreachable > > 16:58:50.989253 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3917 unreachable > > 16:58:54.683655 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3918 unreachable > > 16:59:18.852931 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3926 unreachable > > 17:04:28.053373 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3968 unreachable > > 17:05:20.889957 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3991 unreachable > > 17:05:25.538210 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3987 unreachable > > 17:05:29.836622 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3996 unreachable > > 17:17:36.700988 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4102 unreachable > > 17:17:36.740919 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4103 unreachable > > 17:31:44.809722 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4167 unreachable > > 17:32:38.966678 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4178 unreachable > > 17:39:54.678230 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4196 unreachable > > 17:59:49.360598 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4337 unreachable > > 18:10:06.141498 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4393 unreachable > > 18:10:14.018915 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4397 unreachable > > 18:22:38.244695 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4475 unreachable > > 18:28:14.111106 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4519 unreachable > > 18:36:13.179419 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4596 unreachable > > 18:37:22.693492 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4604 unreachable > > 18:54:54.669616 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4691 unreachable > > 18:54:57.236363 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4694 unreachable > > 18:55:03.128219 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4705 unreachable > > 19:00:34.078595 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4716 unreachable > > 19:05:12.453255 htobecontrld > ournameserver: imp: htobecontrld udp port > 4728 unreachable > > 19:16:35.928587 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4800 unreachable > > 19:43:39.675290 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4874 unreachable > > 20:28:06.247516 htobecontrld > ournameserver: icmp: htobecontrld udp port > 1065 unreachable > > 20:41:18.205457 htobecontrld > ournameserver: icmp: htobecontrld udp port > 1281 unreachable > > 20:45:42.047075 htobecontrld > ournameserver: icmp: htobecontrld udp port > 1325 unreachable > > 20:49:29.804008 htobecontrld > ournameserver: icmp: htobecontrld udp port > 1344 unreachable > > 20:59:06.544939 htobecontrld > ournameserver: icmp: htobecontrld udp port > cadsi-lm unreachable > > 21:03:36.939149 htobecontrld > ournameserver: icmp: htobecontrld udp port > symplex unreachable > > 21:11:16.690970 htobecontrld > ournameserver: icmp: htobecontrld udp port > 1583 unreachable > > 21:37:14.350186 htobecontrld > ournameserver: icmp: htobecontrld udp port > 1716 unreachable > > 21:38:03.652302 htobecontrld > ournameserver: icmp: htobecontrld udp port > 1741 unreachable > > 21:46:10.942866 htobecontrld > ournameserver: icmp: htobecontrld udp port > 1817 unreachable > > 22:05:50.686555 htobecontrld > ournameserver: icmp: htobecontrld udp port > raid-cd unreachable > > 22:16:33.673137 htobecontrld > ournameserver: icmp: htobecontrld udp port > 2071 unreachable > > 22:21:43.078998 htobecontrld > ournameserver: icmp: htobecontrld udp port > 2100 unreachable > > 22:28:55.425618 htobecontrld > ournameserver: icmp: htobecontrld udp port > 2139 unreachable > > 22:31:33.480595 htobecontrld > ournameserver: icmp: htobecontrld udp port > 2160 unreachable > > 23:02:55.916526 htobecontrld > ournameserver: icmp: htobecontrld udp port > 2394 unreachable > > 23:18:58.826335 htobecontrld > ournameserver: icmp: htobecontrld udp port > 2482 unreachable > > 23:31:48.014578 htobecontrld > ournameserver: icmp: htobecontrld udp port > 2519 unreachable > > 23:31:52.421756 htobecontrld > ournameserver: icmp: htobecontrld udp port > 2527 unreachable > > 23:59:28.936152 htobecontrld > ournameserver: icmp: htobecontrld udp port > 2603 unreachable > > 23:59:31.216532 htobecontrld > ournameserver: icmp: htobecontrld udp port > 2601 unreachable > > 00:58:26.300246 htobecontrld > ournameserver: icmp: htobecontrld udp port > 2777 unreachable > > 04:51:24.263385 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3580 unreachable > > 06:41:34.873900 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3811 unreachable > > 06:42:22.889204 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3810 unreachable > > 07:11:18.000575 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3882 unreachable > > 07:11:23.115720 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3883 unreachable > > 07:12:46.306956 htobecontrld > ournameserver: icmp: htobecontrld udp port > 3885 unreachable > > 08:56:33.120855 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4070 unreachable > > 09:14:47.545636 htobecontrld > openview.rz.RWTH-Aachen.DE: icmp: > htobecontrld udp port snmp unreachable > > 09:14:47.572354 htobecontrld > openview.rz.RWTH-Aachen.DE: icmp: > htobecontrld udp port snmp unreachable > > 09:15:52.561994 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4102 unreachable > > 09:20:32.254100 htobecontrld > ournameserver: icmp: htobecontrld udp port > nuts_dem unreachable > > 09:20:37.859208 htobecontrld > ournameserver: icmp: htobecontrld udp port > nuts_bootp unreachable > > 09:20:47.399799 htobecontrld > ournameserver: icmp: htobecontrld udp port > 4134 unreachable > > > > > > -- > > Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message