Large UDP Traffic -- Immediate Attention Please :)

[HTRegz]

Hey Hey,

I've got an interesting one for you all. I fire up ethereal and I'm see 50%+ UDP traffic. This in and of itself seems a little fishy to me, however they are all from the same source address and all destined to the broadcast address. They seem to rotate between ports 1010 and 1014. I've googled for UDP port 1010 and I'm not finding anything. I thought it was isolated to the one VLAN, however I switched over to another VLAN and I'm getting the same thing from another IP address. Has any experienced, seen or heard of anything like this in the past?


Thanks in advance,
HT

[MrLinus]

Try a search on port 1010 itself rather than specifying UDP. Google Search

The target is port 1010. What's the source port and ips? (are they the same or random)?

Anything special in the packet?

[HTRegz]

Hey Hey,


src and dst ports always match, either 1010/1010 or 1014/1014. The DST IP is always the broastcast address and the SRC IP is steady. I have ran nmap on the host, on the first scan it returned 443 open, however on a second scan I got no open ports, everything filtered. It seems to not be common across all VLANs as the third one I plugged into seems to be free, I'm about to switch to another and see what I get.

HT

[MrLinus]

Maybe it's a scan for the Doly Trojan?

[HTRegz]

That was my first thought when I saw the results and searched google. However the quantity of traffic seems too high for that. I'm getting 6 broadcasts/second at time, which isn't high enough to be an effective flood, but it's high enough that it's caught my attention. You'd think that someone scanning for the trojan would limit their activities slightly.

[MrLinus]

You'd think that someone scanning for the trojan would limit their activities slightly.

This assumes intelligence on the part of the "kiddie". Is there anything in the packet?(data of any type?) Do you have any packets we can look at (santized of all incriminating IPs)

[HTRegz]

Here's a screenshot for ya,

[Edit]
The other thing that leads me to believe it's not scanning for the trojan is the fact that it's in so many places, and the results are so much alike. I'm getting the same results from various people in various buildings... on different Vlans

[Edit]

[MrLinus]

Interesting... any hits to UDP port 5632?

Oh.. and is that sanitized addresses?

[HTRegz]

Not that we've noticed at this point. We've killed those switch ports and the students will have to contact us and bring their computers down before they get access again, I was just wondering if anyone knew anything or knows anything about it.

[Edit]
They're private addresses for specific vlans in the college, so you can have them. If they were public addresses I'd wipe them out.
[/Edit]

HT

[HTRegz]

Hey Hey Everyone,

Just to let ya know, it turns out the problem was with Silicon Chalk Admin Service... SC is a teaching/classroom aid. We haven't fully diagnosed the problem, or determined why it happens, but we are currently working on a solution. If anyone has any information about it, it would be greatly appreciated. Thanks again for the help.


HT