LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-10-2010, 02:48 PM   #1
gadgetx23
LQ Newbie
 
Registered: Feb 2010
Posts: 6

Rep: Reputation: 0
Flood of UDP 59002 from various IP's


Looking over my log files today, I noticed I've been getting flooded with these connection attempts for the past month. It's been constant, 5-10 per minute, always from different IP address, always port 59002.

Slackware 12.1 using Arno's iptables.

Example:
Code:
Feb 10 14:41:05 Connection attempt (UNPRIV): IN=eth1 SRC=97.82.203.130 DST=XX.XX.XX.XX
                97-82-203-130.dhcp.hckr.nc.charter.com
                PROTO=UDP DPT=59002 SPT=49696 TTL=109
Any idea what these are coming from? No P2P currently running on the network.
 
Old 02-11-2010, 07:18 AM   #2
Tons of Fun
Member
 
Registered: Dec 2004
Location: Orlando, Florida
Distribution: Debian Squeeze / BackTrack 5/ Linux Mint 11
Posts: 359

Rep: Reputation: 32
The IP address shown in your log is blocked out to Charter Communications in North Carolina. They are an ISP, so you could report it to them and they will more than likely deal with it.
 
Old 02-11-2010, 08:37 AM   #3
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
Probably, if your IP is dynamic, and you just reconnected, there might be some user were here just before you gained this IP. He was using some P2P network, perhaps it's bittorrent, and his P2P port was 59002. So, he didn't close his client and trackers and other peers not yet know about he left. You obtained his IP and you get this traffic. It's a normal situation.
If you have static IP and sure noone used P2P from it, this may be a DDoS but it's unlikely it's going that slow way. 5-10 packets/min points me to guess it's bittorrent client work. If you don't want to cause such troubles to other users, be sure to escape your P2P clients in a good way. Don't disconnect from internet without having all P2P applications closed. Termination of process usually causes same troubles: escape app the way it's meant to be exited.
I'd say it's a kinda internet etiquette in dynamic IP-networks.

You just have to wait some time, it will disappear soon.
If it doesn't go away, it's likely someone's got nothing to do. Can you show us an examples of packets you receive? Captures of wireshark/tcpdump are welcome.

Last edited by Web31337; 02-11-2010 at 08:41 AM.
 
Old 02-11-2010, 04:32 PM   #4
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
It's pretty hard if not impossible to determine what's going on when all we have to go on is one log record that contains limited information.

+1 for a tcpdump capture
 
Old 02-12-2010, 01:18 AM   #5
devwatchdog
Member
 
Registered: Jan 2010
Posts: 198

Rep: Reputation: 44
Quote:
Originally Posted by gadgetx23 View Post
Looking over my log files today, I noticed I've been getting flooded with these connection attempts for the past month. It's been constant, 5-10 per minute, always from different IP address, always port 59002.

Slackware 12.1 using Arno's iptables.

Example:
Code:
Feb 10 14:41:05 Connection attempt (UNPRIV): IN=eth1 SRC=97.82.203.130 DST=XX.XX.XX.XX
                97-82-203-130.dhcp.hckr.nc.charter.com
                PROTO=UDP DPT=59002 SPT=49696 TTL=109
Any idea what these are coming from? No P2P currently running on the network.
That's definitely odd behavior, especially when looking at what SANS shows for activity on that port

Code:
# portascii.html 
# Start Date: 2010-01-13 
# End Date: 2010-02-12
# Port: 59002
# created: Fri, 12 Feb 2010 06:32:34 +0000
# Date in GMT. YYYY-MM-DD format.

date	records	targets	sources	tcpratio
2010-01-13	10	3	3	100
2010-01-14	7	4	5	83
2010-01-15	6	2	3	100
2010-01-16	6	3	2	100
2010-01-17	6	4	4	100
2010-01-18	5	4	4	80
2010-01-20	9	4	6	86
2010-01-21	6	3	3	100
2010-01-22	12	5	7	100
2010-01-23	7	3	4	100
2010-01-26	11	2	11	9
2010-01-27	17	4	7	85
2010-01-28	10	4	4	100
2010-02-01	9	3	4	100
2010-02-02	8	2	2	88
2010-02-03	18	5	6	94
2010-02-04	11	6	6	100
2010-02-05	6	3	3	100
2010-02-06	6	3	3	100
2010-02-09	5	2	3	100
2010-02-11	15	3	4	100
# (c) SANS Inst. / DShield. some rights reserved.
# Creative Commons ShareAlike License 2.5
# http://creativecommons.org/licenses/by-nc-sa/2.5/
Which can be found here, and has a link there for the ASCII output seen above.

As you can see in the chart above, the numbers indicate port 59002 isn't very popular as destinations go, be it UDP or TCP. This would indicate to me this traffic is very specific to your particular environment, not general scans seen coming from common virus/script related activity.

I checked my firewall logs, and since Jan 31st, I've only seen port 59002 ~20 times, all being source, all TCP.

Do you have a static IP, and do you offer services on your public interface? If you do, I would analyze the logs associated with whatever the service is. Look at your system logs for activity you can't verify.

I would take the advice already given and fire up traffic captures. A capture something like this might provide an indication as to the purpose of the traffic:

tcpdump -s 0 -vvvnni (interface) udp and port 59002

you can append that with 'and host xx.xx.xx.xx' if you want to tie it to a specific IP.

I agree with Web31337, could be residual traffic from a previous lease. If your IP rotates often on a dhcp lease, though, this would indicate it is following your dhcp lease, which would indicate to me something way out of the ordinary is happening.
 
Old 02-12-2010, 09:44 AM   #6
gadgetx23
LQ Newbie
 
Registered: Feb 2010
Posts: 6

Original Poster
Rep: Reputation: 0
Thanks for your help everyone! Here's some answers to you questions:

Quote:
The IP address shown in your log is blocked out to Charter Communications in North Carolina. They are an ISP, so you could report it to them and they will more than likely deal with it.
My log is full of entries like this one; this is just a sample from one IP address. They are from all different IP, not just one or two.


Quote:
Do you have a static IP, and do you offer services on your public interface?
Yes, I have a static IP, been mine for quite a few years. I have HTTP, FTP, SSH, IMAP, SMTP, and POP3 open. Is that what you were asking?

Quote:
That's definitely odd behavior, especially when looking at what SANS shows for activity on that port
I did look at that, and that's why I thought it was strange. I don't normally get too concerned when I see things like this; however, just seemed odd to me that I've been getting hit on this port for a month now and no one else has seen this kind of traffic.

Quote:
Captures of wireshark/tcpdump are welcome
Quote:
tcpdump -s 0 -vvvnni (interface) udp and port 59002

Got this running now, and wouldn't you know, after a month of steady traffic; as of midnight last night it started slowing to about 2-3 per hour and haven't gotten a hit for 2 hours now! lol

Doesn't seem like much to be concerned about, but makes me wonder what was causing it...
 
Old 02-12-2010, 05:00 PM   #7
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
If we'll see a samples of packets, probably we'll point that for you without guessing.
 
Old 02-12-2010, 05:17 PM   #8
gadgetx23
LQ Newbie
 
Registered: Feb 2010
Posts: 6

Original Poster
Rep: Reputation: 0
Ok, looks like it's picking up again now. Here's the output:

Code:
root@osiris:/var/log# tcpdump -s 0 -vvvnni eth1 port 59002
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 byte
s
17:08:53.108466 IP (tos 0x0, ttl 111, id 51388, offset 0, flags [none], proto UD
P (17), length 134) 190.82.177.198.17494 > 69.66.XX.XX.59002: [udp sum ok] UDP,
length 106
17:08:56.489058 IP (tos 0x0, ttl 112, id 56468, offset 0, flags [none], proto UD
P (17), length 131) 186.59.129.82.57451 > 69.66.XX.XX.59002: [udp sum ok] UDP, l
ength 103
17:08:58.949621 IP (tos 0x0, ttl 117, id 37113, offset 0, flags [none], proto UD
P (17), length 131) 142.167.116.21.12032 > 69.66.XX.XX.59002: [udp sum ok] UDP,
length 103
17:09:06.452192 IP (tos 0x0, ttl 112, id 11114, offset 0, flags [none], proto UD
P (17), length 131) 90.230.170.183.24635 > 69.66.XX.XX.59002: [udp sum ok] UDP,
length 103
17:09:06.463697 IP (tos 0x0, ttl 109, id 12111, offset 0, flags [none], proto UD
P (17), length 131) 81.111.65.151.43745 > 69.66.XX.XX.59002: [udp sum ok] UDP, l
ength 103
17:09:08.343871 IP (tos 0x0, ttl 112, id 38150, offset 0, flags [none], proto UD
P (17), length 131) 81.181.81.76.50483 > 69.66.XX.XX.59002: [udp sum ok] UDP, le
ngth 103
 
Old 02-12-2010, 05:46 PM   #9
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Nothing really unusual there other than the fact you're getting these packets for some reason. Probably the best thing to do to attempt to figure out why you are getting 131 byte UDP packets from those hosts is to add -X to your tcpdump command to see the actual payloads. I got some unusual UDP traffic before and searching google for a common string in the payload showed it was from Limewire even though I've never used it.
 
1 members found this post helpful.
Old 02-12-2010, 05:49 PM   #10
gadgetx23
LQ Newbie
 
Registered: Feb 2010
Posts: 6

Original Poster
Rep: Reputation: 0
Here's what that looks like:

Code:
root@osiris:/var/log# tcpdump -X -s 0 -vvvnni eth1 port 59002
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
17:47:52.174400 IP (tos 0x0, ttl 113, id 22946, offset 0, flags [none], proto UDP (17), length 131) 24.12.34.154.59019 > 69.66.XX.XX.59002: [udp sum ok] UDP, length 103
        0x0000:  4500 0083 59a2 0000 7111 3396 180c 229a  E...Y...q.3...".
        0x0010:  4542 3c4a e68b e67a 006f c688 6431 3a61  EB<J...z.o..d1:a
        0x0020:  6432 3a69 6432 303a c2a5 5b85 aca1 6609  d2:id20:..[...f.
        0x0030:  02b8 d52b 6dbc 9564 f074 3855 363a 7461  ...+m..d.t8U6:ta
        0x0040:  7267 6574 3230 3ac2 a55e 57d0 ffbb da9c  rget20:..^W.....
        0x0050:  0e77 3dd3 5933 1e34 d8f6 4765 313a 7139  .w=.Y3.4..Ge1:q9
        0x0060:  3a66 696e 645f 6e6f 6465 313a 7434 3a9a  :find_node1:t4:.
        0x0070:  5200 0031 3a76 343a 5554 4076 313a 7931  R..1:v4:UT@v1:y1
        0x0080:  3a71 65                                  :qe
17:47:56.544750 IP (tos 0x0, ttl 107, id 13892, offset 0, flags [none], proto UDP (17), length 134) 201.48.21.89.16688 > 69.66.XX.XX.59002: [udp sum ok] UDP, length 106
        0x0000:  4500 0086 3644 0000 6b11 b90d c930 1559  E...6D..k....0.Y
        0x0010:  4542 3c4a 4130 e67a 0072 6ee1 6431 3a61  EB<JA0.z.rn.d1:a
        0x0020:  6432 3a69 6432 303a 6fb4 c8b2 1a7c 10b6  d2:id20:o....|..
        0x0030:  6744 1b0c 1ccd 0571 669d 73b9 393a 696e  gD.....qf.s.9:in
        0x0040:  666f 5f68 6173 6832 303a c2a5 51c7 3ca7  fo_hash20:..Q.<.
        0x0050:  3f8d 4640 3392 faa2 600f ca69 c968 6531  ?.F@3...`..i.he1
        0x0060:  3a71 393a 6765 745f 7065 6572 7331 3a74  :q9:get_peers1:t
        0x0070:  343a 7349 0000 313a 7634 3a55 5444 0631  4:sI..1:v4:UTD.1
        0x0080:  3a79 313a 7165                           :y1:qe

Last edited by gadgetx23; 02-12-2010 at 05:50 PM.
 
Old 02-12-2010, 06:27 PM   #11
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
From what I can tell, it looks like Bittorrent traffic. I'd double check and make sure no one is using it.
 
1 members found this post helpful.
Old 02-13-2010, 02:48 AM   #12
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
OlRoy is right, it's BitTorrent.
If you are sure noone uses it, perhaps someone made a stupid attempt to DDoS you by adding your IP on his own tracker, probably is popular, or I don't know. It's anyway shared somewhere in some cache.
If you don't run it anywhere, there's probably no way to stop this flood.
But, does that bother you? Do you have traffic payed? If not, then why worry?
 
Old 02-13-2010, 07:58 AM   #13
gadgetx23
LQ Newbie
 
Registered: Feb 2010
Posts: 6

Original Poster
Rep: Reputation: 0
Well, I can't say that that no one has EVER used it on my network, but I did check the 6 computers currently running on the network and didn't find any P2P software.

I wouldn't say I'm worried about it, just wondered what it was. Thanks for all the input!
 
  


Reply

Tags
bittorrent, traffic, udp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
udp flood behind router darthaxul Linux - Software 3 08-17-2008 10:25 AM
Filter UDP flood using iptables LandRover Linux - Security 1 10-18-2007 05:18 PM
Stopping UDP Packtet Flood on Port: 28960 murder Linux - Security 6 09-19-2005 09:42 PM
How To Stop a UDP Packet Flood ! murder Linux - Newbie 2 09-19-2005 10:14 AM
Stoping UDP Packtet Flood on Port: 28960 murder Linux - Networking 1 09-19-2005 08:43 AM


All times are GMT -5. The time now is 04:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration