From: Barrie Dempster (barriereboot-robot.net)
Date: Wed Nov 16 2005 - 04:23:22 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2005-11-15 at 14:29 -0500, Chris Martin wrote:
> Hello list,
> Today at work we found some very strange behavior on one of our servers.
> This machine was spitting out several thousand fragmented UDP packets to
> an IP multicast address.
> The rate of packet sending was quite high, using ethereal for about 10
> minutes showed that of approximately 75,000 packets, almost 70,000 of
> them where these fragmented UDP packets. They were being sent to a
> 239.192.*.* which according to RFC 3171 is an Administratively Scoped
> Block of IPv4 Multicast.
>
> This really has us scratching our heads. I was wondering if anyone here
> had seen this kind of behavior before, or had any ideas as to what it
> could possibly be?

A first glance guess would be simple media multicasting software of some
description. Can you narrow it down beyond UDP and recognise the
protocol being used ? (or can you provide a packet dump so that we can).

Do you have any host based analysis of the incident ?

--
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

blog: http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca: https://www.cacert.org/index.php?id=3

• application/x-pkcs7-signature attachment: smime.p7s

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]