Reversed udp addresses

Russell Fulton r.fulton at auckland.ac.nz
Tue May 11 01:03:33 EDT 1999


Greetings All,
	     Today I spotted some rather odd logs from argus.  My
simple ID system picked up a udp scan of one of our subnets and when I
used ra to extract all traffic for the source address this is the sort
of records I got:

Tue 05/11 15:31:55      udp   130.216.168.1.5632  <-    aaa.bbb.37.70.1755  0      1       0         10       TIM
Tue 05/11 15:31:55      udp   aaa.bbb.37.70.1755   ->   130.216.168.1.22    1      0       10        0        TIM
Tue 05/11 15:31:55      udp   130.216.168.2.5632  <-    aaa.bbb.37.70.1755  0      1       0         10       TIM
Tue 05/11 15:31:55      udp   aaa.bbb.37.70.1755   ->   130.216.168.2.22    1      0       10        0        TIM
Tue 05/11 15:31:55      udp   130.216.168.3.5632  <-    aaa.bbb.37.70.1755  0      1       0         10       TIM
Tue 05/11 15:31:55      udp   aaa.bbb.37.70.1755   ->   130.216.168.3.22    1      0       10        0        TIM
Tue 05/11 15:31:55      udp   130.216.168.4.5632  <-    aaa.bbb.37.70.1755  0      1       0         10       TIM

So far as I can see all traffic was initiated by aaa.bbb.37.70 (number
disguised to protect the guilty ;-) yet on half the records the
130.216 address (ours) was shown as 'source'.  I have had a look at
the ra source and can't find any code that swaps udp src and dest
addresses (as there is for tcp) therefore it must be the server that
is assigning the addresses this way.

My guess is that it is doing this because aaa.bbb.37.70.1755 is
appearing as both a source and destination.  Sigh...

It is rather confusing when presenting logs as evidence of scans or
attacks. 

BTW 5632 is used by PCAnywhere :-( and, no, I'm not telling if any
machines responded ;-)

Cheers, Russell.



More information about the argus mailing list