IANA servers and bad UDP packets

[Lv4]

Ok, I didn't know where this would really belong, but since it was my IDS machines that started off the alerts I figured this is where it should go.

On Saturday afternoon I started to get a flurry of UDP packets that violate standard configuration, and were setting off my bad UDP packet alerts. I saw something along the lines of about 4000 packets in a 300 second period that set off my IDS machines like mad.

They ALL came from one of the IANA root servers (I have no idea if they could have been spoofed as I wasn't capturing packets at the time) and they were going to a non existant machine on an internal network of mine. All of them were buffer purge frequency violations.

Now this machine they were going to has a private network IP in the 192.168.x.x range, but looking at the IDS logs it clearly shows that IP address. I'm wondering, since the IANA are the folks that make the rules about IP addresses, if they detected a misconfigured router on our network and it's their way of letting us know it's not set up right?

I haven't looked at the router that talks to that network yet, but I'm pretty sure it's not passing any private IPs to the outside world. More on that later today.


So other than one of my routers being misconfigured, do you folks have any other thoughts on why they would be sending me packets that set off my IDS machines like that?

I have seen misconfigured UDP packets from them before, but nothing on this level. It is only ususally like 5-10 packets over a period of a couple of hours that set off the IDS machines, but this is a bunch of packets.

Oh FWIW, my ISS boxes, NFR boxes and Snort boxes all picked these up.

[nebulus200]

It would be helpful if you said what kind of 'bad udp packets' you were seeing. Malformed DNS? Netbios?

I would suspect you may have some PC's infected with a worm, that in my mind would explain the heavy volume, how you would be seeing 192.168 addresses (I am assuming that is how your internal network is setup and that you NAT before going out), and it would also explain malformed packets...

If you can post what about it was malformed, or even the packets themselves, that would be helpful. Make sure to sanitize your IP information out of it...

/nebulus

[Lv4]

well, they are only reporting as a UDP buffer purge frequency violation (something I'm not familar with). They are showing a ICMP Type -1 flag and a ICMP Code -1 flag.

hrm, as I was typing this reply out I thought of something. These packets are originating from a 120.x.x.x network, which is a reserved IP range. That range is owned by IANA, and is in my list of IP ranges to 'watch'. That's what is setting off my IDS boxes, it is just the fact that they are coming from a network that I should never see traffic from.

Interesting. I'm wondering now why I am seeing traffic from those addresses, and why it's going to a 192.168.x.x network that I have being NAT'd to the outside world.

Well at least I figured out what was setting the alerts off, now I just have to figure out the why and the how of it all.

[nebulus200]

Ok, I don't know how big of a network you have, but I still stand by my original guess of you have a worm infected machine. At least one side of the network conversation is legitimate (192.168). With the 120 network...do the IP's in the 120 network change, is it always same one, is it always say same class C in the 120? Is it ever anything but 120?

I am not following what you are saying about UDP buffer purge frequency and ICMP...they should be different protocols and not in the same packet? I tried checking with ISS but I don't see a signature that resembles anything like that...checked SNORT and don't see anything similar to that either...

I tried looking around for UDP and for 120.x.x.x stuff on the NET, but only thing I really see are examples of how to setup equipment.

Since you won't say specifically what you are seeing, I am not able to help you other than saying, I recommend that you pick on one of the machines that is the source and see what is going on with the box, see what kind of traffic it is spewing out, what kind of programs are running, check AV, etc. I would suspect you find an answer pretty fast that way...

/nebulus

[Lv4]

heh. I'll have to log back on to either one of the snort boxes or the ISS boxes. a lot of the rules that we use are custom made, and mimick some of what the NFR boxes show... which is the one that I just happened to have up on my screen and was grabbing information from.

so, in lieu of logging on one of those boxes at the moment I will pass on what information I can. They are all originating FROM the 120.1.1.66 IP address and all are going TO 192.168.124.1... which is a brand new network with no machines on it right now. The only things that exist there right now are a Cisco 3600 router and a Checkpoint FW1 firewall, neither of which have that .1 addy.

I'm going to attach a NFR screenshot to show you the limited information that they are providing me.

I can't access the snort or ISS boxes from this machine, due to policies that are implemented.

***EDITED***

oh and after a little bit of research, the 120.0.0.0/8 IP range is used by the IANA for "special" purposes and IP experimentation.

[nebulus200]

http://cert.uni-stuttgart.de/archive.../msg00067.html

http://www.incidents.org/archives/in.../msg02431.html

I would like to have seen a little more of the contents of the packets, to have a closer look at the header, but based on what I am seeing in your screenshot and a quick search around the net, udp/1900 is where Microsoft's UPnP service lives. Most of the articles that I see about it either talk about the service specifically or that it starts up with MSN messenger; however, alot of what they are posting in the articles is multicast traffic, which yours isn't. Even with that being said, with what I am assuming the source port being 1038, which is a common choice on a MS box...

Do you have any anti-spoofing filters setup on your router? I wouldn't be the least bit suprised if someone has plugged up a laptop or something, maybe even to work on your new equipment, with that IP and that it is making it out by the default route and not being stopped by any ACL's or firewalls...I can almost picture a technician out there configuring your router while his MSN messenger keeps trying to connect

Also, I think the ICMP fields in that report are all bogus since the protocol is UDP, which is probably why it is showing -1 in those fields (there is no type -1 or code -1 ICMP packets). At least that is all I can hope, you might want to log on to the router and look at the ARP entries and see if you can't track it down to a specific machine...Through playing around with ACL's and routes, you should be able to track it down...

Good luck, happy hunting...

/nebulus


EDIT: Forgot to add, I am leaning against a worm at this point. The addresses are never changing, nor are the ports. This would be atypical for a worm that was trying to spread; however, I am a little bit suprised that none of the information is changing (many programs will try a combination of jostling source/dest ports a little to bypass firewalls/acl's)...If you find what was causing, please do tell, I am pretty curious now

[Lv4]

hrm, the techs shouldn't be plugging in their laptops like that, but you never know. hehe, I wouldn't doubt it at all because I know how they are

I'll go through the ARP entries on the router this afternoon and see what I can do to track it to someones machine. I've also set up some scripting on the nearest IDS box there that will trigger a sniffer that is now on that network to watch the traffic so I can take the packets apart and figure out what is really going on there.

oh yeah, I have over 4000 of those entries on each of my IDS boxes and they are all the same address and ports. They all happened in large chuncks, like 2000 policy violations in a 300 second period, followed by 1200 in another 300 second period. followed by 800 in a 300 second period. Then a few sporadic ones or twos that happened over a few hours time.