Interesting netflow entry
Wil Schultz
wschultz at wilcomm.net
Mon Feb 6 21:15:06 UTC 2006
After setting up netflow this morning I have a of recurring flow that
seems bothersome to me. I have an internal host (10.X.X.99) that
continually attempts to hit various external hosts (AA, BB, CC, etc...)
on seemingly random ports but always sources port udp.1204. In about 2
hours this host has hit 155 different external hosts, some of them once
or twice and some of them more than 10 times. Below is a sanitised 10
minute output.
11:41:37.031 0.000 UDP 10.XX.XX.99:1204 ->
AA.AA.AA.AA:46299 (RoadRunner, VA US)
11:42:07.032 0.000 UDP 10.XX.XX.99:1204 ->
BB.BB.BB.BB:15989 (Comcast, MI US)
11:42:37.096 0.000 UDP 10.XX.XX.99:1204 ->
CC.CC.CC.CC:52566 (Comcast, IL US)
11:43:17.204 0.000 UDP 10.XX.XX.99:1204 -> DD.DD.DD.DD:47756
(Adelphia, CA US)
11:45:27.521 0.000 UDP 10.XX.XX.99:1204 -> EE.EE.EE.EE:20797
(Tokyo)
11:46:07.685 0.000 UDP 10.XX.XX.99:1204 -> FF.FF.FF.FF:21363
(Surrey UK)
11:48:47.991 0.000 UDP 10.XX.XX.99:1204 -> GG.GG.GG.GG:48324
(Israel)
Interestingly enough, I've checked to see if this seemingly random port
was actually listening and each of the 15-20 hosts I've checked are all
listening on their port, i.e. AA.AA.AA.AA has udp.46299 open while
BB.BB.BB.BB has udp.15989 open. When a host was contacted multiple times
the "random" dstport is always the same.
Anyone have any clue on to what could be going on here?
-Wil
More information about the NANOG
mailing list