On 06/04/2011 12:59 PM, Amos Jeffries wrote:
>>>>> Bal Krishna Adhikari 6/3/2011 6:13 AM
>>>>>
>> Hello,
>>
>> I found a lot of UDP connections that is coming to my proxy servers.
>> I don't find the cause of such one-way traffics to my servers.
>> The sample UDP traffic is as :-
>>
>> 14:00:07.506612 IP 41.209.69.146.10027> x.x.x.x.65453: UDP, length 30
>> 14:00:07.518118 IP 121.218.37.254.41597> x.x.x.x.64338: UDP, length
>> 30
>> 14:00:07.572559 IP 85.224.143.193.29978> x.x.x.x.62782: UDP, length
>> 30
>> 14:00:07.596554 IP 183.87.200.42.36895> x.x.x.x.15786: UDP, length 30
>> 14:00:07.642820 IP 180.215.37.96.49977> x.x.x.x.49458: UDP, length 30
>> 14:00:07.653055 IP 117.195.138.64.24314> x.x.x.x.44985: UDP, length
>> 33
>> 14:00:07.739963 IP 82.31.238.101.50534> x.x.x.x.52750: UDP, length 30
>> 14:00:07.783452 IP 86.83.107.196.41870> x.x.x.x.62782: UDP, length 30
>> 14:00:07.809677 IP 94.246.23.15.59003> x.x.x.x.27462: UDP, length 30
>> 14:00:07.837415 IP 75.156.164.147.49398> x.x.x.x.34847: UDP, length
>> 30
>> 14:00:07.841668 IP 82.8.212.242.25931> x.x.x.x.24869: UDP, length 30
>> 14:00:07.841697 IP 89.136.112.99.42182> x.x.x.x.52750: UDP, length 30
>> 14:00:07.854215 IP 99.191.156.208.18162> x.x.x.x.64338: UDP, length
>> 30
>> 14:00:07.885386 IP 88.147.72.252.60224> x.x.x.x.19151: UDP, length 30
>> 14:00:07.960841 IP 68.169.185.192.63480> x.x.x.x.58638: UDP, length
>> 30
>> 14:00:08.071763 IP 79.113.242.42.31998> x.x.x.x.33995: UDP, length 30
>> 14:00:08.078260 IP 94.202.49.109.61957> x.x.x.x.26071: UDP, length 67
>> 14:00:08.101495 IP 82.169.68.179.19605> x.x.x.x.45682: UDP, length 30
>> 14:00:08.113238 IP 86.99.42.7.15086> x.x.x.x.11706: UDP, length 67
>> 14:00:08.127979 IP 62.195.70.253.45266> x.x.x.x.37050: UDP, length 30
>> 14:00:08.163992 IP 2.82.207.195.38343> x.x.x.x.26680: UDP, length 30
>> 14:00:08.183453 IP 68.81.206.57.25923> x.x.x.x.18378: UDP, length 30
>> 14:00:08.237689 IP 108.120.241.254.47249> x.x.x.x.39433: UDP, length
>> 30
>> 14:00:08.256906 IP 99.161.157.254.41719> x.x.x.x.26680: UDP, length
>> 30
>> 14:00:08.291885 IP 121.136.175.247.12577> x.x.x.x.16485: UDP, length
>> 67
>> 14:00:08.315427 IP 121.144.158.120.30845> x.x.x.x.61415: UDP, length
>> 30
>> 14:00:08.317404 IP 115.117.219.18.25817> x.x.x.x.59936: UDP, length
>> 30
>>
>> Anyone has any idea if the traffic is genuine or some kind of attack ?
>> x.x.x.x is my proxy server.
>>
>> --- Bal Krishna
>>
>
> On 04/06/11 01:16, Chad Naugle wrote:
> > Check the hostname of these IP addresses. They could be DNS replies,
> > using random ports for source/destinations. Squid can generate tons of
> > DNS traffic.
>
>
> I don't think its genuine Squid traffic. DNS, ICP and HTCP all use a
> fixed well-known port at one end and a rarely changing port at the other.
>
> It could be anything else on the box though.
>
> There are a few CVE attacks this could be, two using DNS and one HTCP.
> If you have a Squid 2.7.STABLE8+, 3.0.STABLE23+ or 3.1.1+ you are safe
> from those. They are just annoying.
>
> If you have a Squid-3.1+ with an IPv6 address publicly advertised this
> could be a sign of v6 connection attempts. Several IP tunnel protocols
> involve UDP handshakes.
>
> Amos
I'm currently using 2.7 STABLE9.
And the connection seems increased then earlier.
Blocking the UDP other then DNS and SNMP from outside can solve the
problem ?
-- Bal Krishna
Received on Sun Jun 05 2011 - 04:55:51 MDT
This archive was generated by hypermail 2.2.0 : Sun Jun 05 2011 - 12:00:03 MDT