[sage] Rätselhafte UDP Verbindungsversuche

Wulf-Burkhard Goehmann goehmann at zedat.fu-berlin.de
Mon Dec 22 19:23:11 CET 2008 

Hallo,

On Fri, 19 Dec 2008, Juergen Kahnert wrote:
> wir beobachten hier zur Zeit viele UDP Verbindungsversuche (..) Die 
> versuchen diese IP immer auf UDP Port 62997 zu erreichen. Und das
> seit Monaten mit wachsender Begeisterung. Was da geschickt wird 
> ergibt für uns wenig Sinn.

auch wir (FU-Berlin) haben so eine IP-Adresse, die derartigen Traffic
abbekommt. Bei uns ist das offenbar ein "Linksys Wireless print 
server" ("connects to parallel- and USB-based printers"), der dabei 
selber allerdings vollkommen passiv zu sein scheint.

> Die Pakete ähneln sich und der Datenanteil sieht in etwa so aus:
>     6a00 0000 0032 0001 0100 0006 0000 1500 0000 f74b 26f3 c59c 4800 7ce6 12d1 4007 0000 0000 0000 0001 0004 0000 001f 2700 0002 0015 0000 0013 a127 f304 aa48 00de f1a9 8315 f669 01a8 c0f6 1500 0400 0400 0000 0200 0000 0500 0800 0000 66dd 93d2 e208 2a00 0600 0400 0000 0000 0000

Bei uns ganz ähnlich. Hier sind mal einige Paare Quell-IP-Adressen und 
der Datenanteil des zugehoerigen UDP-Pakets, aber aus dem variablen 
Teil werde ich nicht schlau:

222.134.185.91  6a000000003200010100000600001500000000887e43e36d4801de8120e3ec51000000000000000100040000001f270000020015000000702e886745c948017c802da015f67901a8c0f6150004000400000064000000050008000000ff7318a25f7f250106000400000000000000
222.134.185.91  6a00000000320001010000060000150000000f953a34e8432a017be8906cc610000000000000000100040000001f270000020015000000702e886745c948017c802da015f67901a8c0f6150004000400000024000000050008000000ff7318a25f7f250106000400000000000000
222.134.185.91  6a000000003200010100000600001500000041b5372c197225007b7488e4a80d000000000000000100040000001f270000020015000000702e886745c948017c802da015f67901a8c0f6150004000400000010000000050008000000ff7318a25f7f250106000400000000000000
222.134.185.91  6a00000000320001010000060000150000006c521374fb6e2501ddd952f53b04000000000000000100040000001f270000020015000000702e886745c948017c802da015f67901a8c0f615000400040000001a000000050008000000ff7318a25f7f250106000400000000000000
222.134.185.91  6a000000003200010100000600001500000093a61840847f25003d3286ee9006000000000000000100040000001f270000020015000000702e886745c948017c802da015f67901a8c0f615000400040000006b000000050008000000ff7318a25f7f250106000400000000000000
222.134.185.91  6a0000000032000101000006000015000000986312518c622501de83bc30fa1a000000000000000100040000001f270000020015000000702e886745c948017c802da015f67901a8c0f615000400040000001c000000050008000000ff7318a25f7f250106000400000000000000
222.134.185.91  6a0000000032000101000006000015000000b1902ee19b072a01da3b4751570a000000000000000100040000001f270000020015000000702e886745c948017c802da015f67901a8c0f6150004000400000054000000050008000000ff7318a25f7f250106000400000000000000
222.135.13.84   6a000000003200010100000600001500000009322ed9477025017be9bebc860f000000000000000100040000001f270000020015000000f27c88a2a2c948017c802da015f63000a8c0f6150004000400000002030000050008000000032a8605ccb9480106000400000000000000
222.135.25.28   6a00000000320001010000060000150000001cb02897bae929017c84610d5a0e000000000000000100040000001f2700000200150000008106880e09c948017c802da00bdd2f00a8c0f615000400040000001e0000000500080000004dff879c03c9480106000400000000000000
222.135.25.28   6a0000000032000101000006000015000000365420ab1fca29017b814ca2f206000000000000000100040000001f2700000200150000008106880e09c948017c802da00bdd2f00a8c0f61500040004000000c20000000500080000004dff879c03c9480106000400000000000000
222.135.25.28   6a00000000320001010000060000150000007e370009fc242500dd02e0d4b17b000000000000000100040000001f2700000200150000008106880e09c948017c802da00bdd2f00a8c0f61500040004000000640000000500080000004dff879c03c9480106000400000000000000
222.135.25.28   6a0000000032000101000006000015000000be82028134f72400de85708f59f0000000000000000100040000001f2700000200150000008106880e09c948017c802da00bdd2f00a8c0f61500040004000000010000000500080000004dff879c03c9480106000400000000000000
222.135.25.28   6a0000000032000101000006000015000000c206882e09c94801de855543f204000000000000000100040000001f2700000200150000008106880e09c948017c802da00bdd2f00a8c0f61500040004000000160000000500080000004dff879c03c9480106000400000000000000
222.135.25.28   6a0000000032000101000006000015000000ce1e0df8e95225017d22babdebd3000000000000000100040000001f2700000200150000008106880e09c948017c802da00bdd2f00a8c0f615000400040000009c0000000500080000004dff879c03c9480106000400000000000000
222.135.25.28   6a0000000032000101000006000015000000cf06883409c94801de8451460f6c0c01a8c0f615000100040000001f2700000200150000008106880e09c948017c802da00bdd2f00a8c0f61500040004000000060000000500080000004dff879c03c9480106000400000000000000
222.135.25.28   6a0000000032000101000006000015000000e806884309c948013cd027bc57052000a8c0f615000100040000001f2700000200150000008106880e09c948017c802da00bdd2f00a8c0f615000400040000000c0000000500080000004dff879c03c9480106000400000000000000
222.135.25.28   6a0000000032000101000006000015000000ecaa830a929c48007c87ffcf3fad6701a8c0f615000100040000001f2700000200150000008106880e09c948017c802da00bdd2f00a8c0f61500040004000000070000000500080000004dff879c03c9480106000400000000000000
222.135.193.91  6a000000003200010100000600001500000013412ffa16082a017c80a8bbc9d9000000000000000100040000001f270000020015000000301587b916bb48017c802da015f64e00a8c0f6150004000400000003010000050008000000abec03e20a33250006000400000000000000
222.135.193.91  6a000000003200010100000600001500000029a3013bbc2525003cd3ca73b20d000000000000000100040000001f270000020015000000301587b916bb48017c802da015f64e00a8c0f61500040004000000a3010000050008000000abec03e20a33250006000400000000000000
222.135.193.91  6a0000000032000101000006000015000000db3900d0fc242500de862253f90f000000000000000100040000001f270000020015000000301587b916bb48017c802da015f64e00a8c0f6150004000400000002020000050008000000abec03e20a33250006000400000000000000
222.135.193.91  6a0000000032000101000006000015000000e51208a7ac4325013cd6a37240e3000000000000000100040000001f270000020015000000301587b916bb48017c802da015f64e00a8c0f6150004000400000051010000050008000000abec03e20a33250006000400000000000000

Top-Zielports bei uns:
Prot       Dst IP Addr:Port  Packets   Bytes Flows
UDP  -> 160.45.xxx.yyy:62997  37.6 M   5.1 G 39437896
UDP  -> 160.45.xxx.yyy:17537  276615  36.4 M 276615
UDP  -> 160.45.xxx.yyy:13771  276393  36.4 M 276393
UDP  -> 160.45.xxx.yyy:40038  240109  31.6 M 240109
UDP  -> 160.45.xxx.yyy:32217  202548  26.7 M 202548
UDP  -> 160.45.xxx.yyy:41498  196835  25.9 M 196835
UDP  -> 160.45.xxx.yyy:40196  145566  19.2 M 145419
UDP  -> 160.45.xxx.yyy:11120  140270  18.5 M 140270
UDP  -> 160.45.xxx.yyy:4441   132219  17.4 M 132219
UDP  -> 160.45.xxx.yyy:13879  130906  16.4 M 121217
UDP  -> 160.45.xxx.yyy:3601   114262  15.0 M 114187
UDP  -> 160.45.xxx.yyy:56261  110173  14.5 M 110173

Top-Quell-IPs bei uns:
Proto   Src IP               Dst IP Addr:Port   Packets    Bytes Flows
UDP  [221.0.46.98]     -> 160.45.xxx.yyy:62997   446840   58.8 M 446840
UDP  [218.56.60.125]   -> 160.45.xxx.yyy:62997   324117   42.7 M 324117
UDP  [124.135.222.198] -> 160.45.xxx.yyy:62997   284437   37.4 M 284437
UDP  [218.56.200.23]   -> 160.45.xxx.yyy:13771   245529   32.3 M 245529
UDP  [123.123.108.62]  -> 160.45.xxx.yyy:62997   233542   30.7 M 233542
UDP  [124.132.225.33]  -> 160.45.xxx.yyy:32217   202548   26.7 M 202548
UDP  [60.213.156.139]  -> 160.45.xxx.yyy:41498   194932   25.7 M 194932
UDP  [60.212.9.2]      -> 160.45.xxx.yyy:62997   182618   24.0 M 182618

und das sind die Top-Quell-Netze:
Proto    Src Net            Dst IP Addr:Port   Packets  Bytes Flows
UDP  124.128.0.0/13  ->  160.45.xxx.yyy:62997  9.0 M    1.2 G 9406102 #CNC Group CHINA169 Shandong Province Network
UDP   60.208.0.0/13  ->  160.45.xxx.yyy:62997  6.7 M  927.0 M 7041026 #CNC Group CHINA169 Shandong Province Network
UDP  222.128.0.0/13  ->  160.45.xxx.yyy:62997  3.0 M  417.8 M 3173074 #CNCGROUP Beijing province network
UDP  123.128.0.0/13  ->  160.45.xxx.yyy:62997  2.7 M  375.7 M 2854120 #CNCGROUP Shandong Province Network
UDP  123.232.0.0/13  ->  160.45.xxx.yyy:62997  2.5 M  341.2 M 2592617 #CNC Group CHINA169 Shandong Province Network
UDP   218.56.0.0/13  ->  160.45.xxx.yyy:62997  2.4 M  329.8 M 2505577 #CNCGROUP Shandong province network
UDP   60.216.0.0/13  ->  160.45.xxx.yyy:62997  2.3 M  319.6 M 2426626 #CNC Group CHINA169 Shandong Province Network
UDP    221.0.0.0/13  ->  160.45.xxx.yyy:62997  2.2 M  298.8 M 2270129 #CNC Group CHINA169 Shandong Province Network

Ich habe natürlich keine Ahnung, was das ganze soll, und wäre für 
Hinweise entsprechend dankbar...

Viele Gruesse, -wb
-- 
Wulf-Burkhard Goehmann      | Freie Universitaet Berlin, ZEDAT
goehmann at ZEDAT.FU-Berlin.DE | Zentraleinrichtung fuer Datenverarbeitung
Telefon: +49 30 838-55134   | Fabeckstrasse 32, D-14195 Berlin, Germany
Telefax: +49 30 838455134   | http://www.zedat.fu-berlin.de

More information about the SAGE mailing list