Massive UDP traffic on port 62997
Hi,
During recent days I recieved a massive increase in UDP traffi con port 62997. Interestingly all the traffic is directed to single destination machine whose IP address is x.x.x.221. All of the traffic has 110 byte payload. The traffic is nomraly from small number of sources all from china and they use large number of source ports. The sample payload is given below:
0000 6a 00 00 00 00 32 00 01 01 00 00 06 00 00 15 00 j....2..........
0010 00 00 31 e9 0d 41 74 a1 3c 01 dd d0 2f 32 33 09 ..1..At.<.../23.
0020 3a 01 a8 c0 f6 15 00 01 00 04 00 00 00 1f 27 00 :.............'.
0030 00 02 00 15 00 00 00 55 d1 0d ae 69 a1 3c 01 dd .......U...i.<..
0040 cf b5 83 15 f6 50 01 a8 c0 f6 15 00 04 00 04 00 .....P..........
0050 00 00 09 00 00 00 05 00 08 00 00 00 26 e1 0d 7b ............&..{
0060 70 a1 3c 01 06 00 04 00 00 00 00 00 00 00 p.<...........
A similar behavir is observed on port 6660 which is used by the IRC. Same destination address and destination port was targeted. One similar activity is observed on ports 13000-14000, with same destination address being targeted. However in this case large number of sources have been observed again all from China. Any insight into this matter will be highly appreciated.
Cheers,
Ejaz
|