Bal Krishna Adhikari 6/3/2011 6:13 AM
Hello,
I found a lot of UDP connections that is coming to my proxy servers.
I don't find the cause of such one-way traffics to my servers.
The sample UDP traffic is as :-
14:00:07.506612 IP 41.209.69.146.10027> x.x.x.x.65453: UDP, length 30
14:00:07.518118 IP 121.218.37.254.41597> x.x.x.x.64338: UDP, length
30
14:00:07.572559 IP 85.224.143.193.29978> x.x.x.x.62782: UDP, length
30
14:00:07.596554 IP 183.87.200.42.36895> x.x.x.x.15786: UDP, length 30
14:00:07.642820 IP 180.215.37.96.49977> x.x.x.x.49458: UDP, length 30
14:00:07.653055 IP 117.195.138.64.24314> x.x.x.x.44985: UDP, length
33
14:00:07.739963 IP 82.31.238.101.50534> x.x.x.x.52750: UDP, length 30
14:00:07.783452 IP 86.83.107.196.41870> x.x.x.x.62782: UDP, length 30
14:00:07.809677 IP 94.246.23.15.59003> x.x.x.x.27462: UDP, length 30
14:00:07.837415 IP 75.156.164.147.49398> x.x.x.x.34847: UDP, length
30
14:00:07.841668 IP 82.8.212.242.25931> x.x.x.x.24869: UDP, length 30
14:00:07.841697 IP 89.136.112.99.42182> x.x.x.x.52750: UDP, length 30
14:00:07.854215 IP 99.191.156.208.18162> x.x.x.x.64338: UDP, length
30
14:00:07.885386 IP 88.147.72.252.60224> x.x.x.x.19151: UDP, length 30
14:00:07.960841 IP 68.169.185.192.63480> x.x.x.x.58638: UDP, length
30
14:00:08.071763 IP 79.113.242.42.31998> x.x.x.x.33995: UDP, length 30
14:00:08.078260 IP 94.202.49.109.61957> x.x.x.x.26071: UDP, length 67
14:00:08.101495 IP 82.169.68.179.19605> x.x.x.x.45682: UDP, length 30
14:00:08.113238 IP 86.99.42.7.15086> x.x.x.x.11706: UDP, length 67
14:00:08.127979 IP 62.195.70.253.45266> x.x.x.x.37050: UDP, length 30
14:00:08.163992 IP 2.82.207.195.38343> x.x.x.x.26680: UDP, length 30
14:00:08.183453 IP 68.81.206.57.25923> x.x.x.x.18378: UDP, length 30
14:00:08.237689 IP 108.120.241.254.47249> x.x.x.x.39433: UDP, length
30
14:00:08.256906 IP 99.161.157.254.41719> x.x.x.x.26680: UDP, length
30
14:00:08.291885 IP 121.136.175.247.12577> x.x.x.x.16485: UDP, length
67
14:00:08.315427 IP 121.144.158.120.30845> x.x.x.x.61415: UDP, length
30
14:00:08.317404 IP 115.117.219.18.25817> x.x.x.x.59936: UDP, length
30
Anyone has any idea if the traffic is genuine or some kind of attack ?
x.x.x.x is my proxy server.
--- Bal Krishna
On 04/06/11 01:16, Chad Naugle wrote:
> Check the hostname of these IP addresses. They could be DNS replies,
> using random ports for source/destinations. Squid can generate tons of
> DNS traffic.
I don't think its genuine Squid traffic. DNS, ICP and HTCP all use a
fixed well-known port at one end and a rarely changing port at the other.
It could be anything else on the box though.
There are a few CVE attacks this could be, two using DNS and one HTCP.
If you have a Squid 2.7.STABLE8+, 3.0.STABLE23+ or 3.1.1+ you are safe
from those. They are just annoying.
If you have a Squid-3.1+ with an IPv6 address publicly advertised this
could be a sign of v6 connection attempts. Several IP tunnel protocols
involve UDP handshakes.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.8 and 3.1.12.2
