OT: Anyone seeing these sorts of probes? Port 46993 udp?

James Hess mysidia at gmail.com
Fri Mar 12 00:31:06 CST 2010


Well, those UDP captures appear to be BitTorrent  Peer-to-Peer file
sharing traffic, or something disguised as such.
Note the  "64 31 3a 61 64 32 3a 69 64 32 30 3a"
and also the  textual reference to  info_hash

On Fri, Mar 12, 2010 at 12:18 AM, Joe <jbfixurpc at gmail.com> wrote:
>
> Not to distract from the IPV4/IPV6 thread, but just wondering if anyone has
> seen this beavior or perhaps can enlighten me to its orgin/virus/meaning?
>
> Internet Protocol, Src: 183.0.215.179 (183.0.215.179), Dst: 192.168.1.52
> (192.168.1.52)
> User Datagram Protocol, Src Port: 64514 (64514), Dst Port: 46993 (46993)
> Data (101 bytes)
>
> 0000  64 31 3a 61 64 32 3a 69 64 32 30 3a 49 10 78 b3   d1:ad2:id20:I.x.
> 0010  9d 3f ab 23 75 7e d4 35 d7 cf c0 13 98 bf 84 30   .?.#u~.5.......0
> 0020  39 3a 69 6e 66 6f 5f 68 61 73 68 32 30 3a 09 61   9:info_hash20:.a
> 0030  e1 d8 9d cf ab 6a 2e 32 e8 42 92 73 b3 41 a3 72   .....j.2.B.s.A.r
> 0040  c7 f1 65 31 3a 71 39 3a 67 65 74 5f 70 65 65 72   ..e1:q9:get_peer
> 0050  73 31 3a 74 38 3a 31 30 30 30 34 32 35 35 31 3a   s1:t8:100042551:
> 0060  79 31 3a 71 65                                    y1:qe
>
>
> Internet Protocol, Src: 183.0.215.179 (183.0.215.179), Dst: 192.168.1.52
> (192.168.1.52)
> User Datagram Protocol, Src Port: 64514 (64514), Dst Port: 46993 (46993)
> Data (101 bytes)
>
> 0000  64 31 3a 61 64 32 3a 69 64 32 30 3a 49 10 78 b3   d1:ad2:id20:I.x.
> 0010  9d 3f ab 23 75 7e d4 35 d7 cf c0 13 98 bf 84 30   .?.#u~.5.......0
> 0020  39 3a 69 6e 66 6f 5f 68 61 73 68 32 30 3a 09 61   9:info_hash20:.a
> 0030  e1 d8 9d cf ab 6a 2e 32 e8 42 92 73 b3 41 a3 72   .....j.2.B.s.A.r
> 0040  c7 f1 65 31 3a 71 39 3a 67 65 74 5f 70 65 65 72   ..e1:q9:get_peer
> 0050  73 31 3a 74 38 3a 31 30 30 30 34 32 35 35 31 3a   s1:t8:100042551:
> 0060  79 31 3a 71 65                                    y1:qe
>
> I'm seeing thousands of these per minute at one location, hundreds of unique
> ip addresses. Some sort of bot net maybe?
>
>
> Thanks much
>
> Joe
>
>
>



-- 
-J




More information about the NANOG mailing list