On 06/04/2011 12:59 PM, Amos Jeffries wrote:
Bal Krishna Adhikari 6/3/2011 6:13 AM
Hello,
I found a lot of UDP connections that is coming to my proxy servers.
I don't find the cause of such one-way traffics to my servers.
The sample UDP traffic is as :-
14:00:07.506612 IP 41.209.69.146.10027> x.x.x.x.65453: UDP, length 30
14:00:07.518118 IP 121.218.37.254.41597> x.x.x.x.64338: UDP, length
30
14:00:07.572559 IP 85.224.143.193.29978> x.x.x.x.62782: UDP, length
30
14:00:07.596554 IP 183.87.200.42.36895> x.x.x.x.15786: UDP, length 30
14:00:07.642820 IP 180.215.37.96.49977> x.x.x.x.49458: UDP, length 30
14:00:07.653055 IP 117.195.138.64.24314> x.x.x.x.44985: UDP, length
33
14:00:07.739963 IP 82.31.238.101.50534> x.x.x.x.52750: UDP, length 30
14:00:07.783452 IP 86.83.107.196.41870> x.x.x.x.62782: UDP, length 30
14:00:07.809677 IP 94.246.23.15.59003> x.x.x.x.27462: UDP, length 30
14:00:07.837415 IP 75.156.164.147.49398> x.x.x.x.34847: UDP, length
30
14:00:07.841668 IP 82.8.212.242.25931> x.x.x.x.24869: UDP, length 30
14:00:07.841697 IP 89.136.112.99.42182> x.x.x.x.52750: UDP, length 30
14:00:07.854215 IP 99.191.156.208.18162> x.x.x.x.64338: UDP, length
30
14:00:07.885386 IP 88.147.72.252.60224> x.x.x.x.19151: UDP, length 30
14:00:07.960841 IP 68.169.185.192.63480> x.x.x.x.58638: UDP, length
30
14:00:08.071763 IP 79.113.242.42.31998> x.x.x.x.33995: UDP, length 30
14:00:08.078260 IP 94.202.49.109.61957> x.x.x.x.26071: UDP, length 67
14:00:08.101495 IP 82.169.68.179.19605> x.x.x.x.45682: UDP, length 30
14:00:08.113238 IP 86.99.42.7.15086> x.x.x.x.11706: UDP, length 67
14:00:08.127979 IP 62.195.70.253.45266> x.x.x.x.37050: UDP, length 30
14:00:08.163992 IP 2.82.207.195.38343> x.x.x.x.26680: UDP, length 30
14:00:08.183453 IP 68.81.206.57.25923> x.x.x.x.18378: UDP, length 30
14:00:08.237689 IP 108.120.241.254.47249> x.x.x.x.39433: UDP, length
30
14:00:08.256906 IP 99.161.157.254.41719> x.x.x.x.26680: UDP, length
30
14:00:08.291885 IP 121.136.175.247.12577> x.x.x.x.16485: UDP, length
67
14:00:08.315427 IP 121.144.158.120.30845> x.x.x.x.61415: UDP, length
30
14:00:08.317404 IP 115.117.219.18.25817> x.x.x.x.59936: UDP, length
30
Anyone has any idea if the traffic is genuine or some kind of attack ?
x.x.x.x is my proxy server.
--- Bal Krishna
On 04/06/11 01:16, Chad Naugle wrote:
> Check the hostname of these IP addresses. They could be DNS replies,
> using random ports for source/destinations. Squid can generate tons of
> DNS traffic.
I don't think its genuine Squid traffic. DNS, ICP and HTCP all use a
fixed well-known port at one end and a rarely changing port at the other.
It could be anything else on the box though.
There are a few CVE attacks this could be, two using DNS and one HTCP.
If you have a Squid 2.7.STABLE8+, 3.0.STABLE23+ or 3.1.1+ you are safe
from those. They are just annoying.
If you have a Squid-3.1+ with an IPv6 address publicly advertised this
could be a sign of v6 connection attempts. Several IP tunnel protocols
involve UDP handshakes.
Amos
I'm currently using 2.7 STABLE9.
And the connection seems increased then earlier.
Blocking the UDP other then DNS and SNMP from outside can solve the
problem ?
-- Bal Krishna
