Interesting netflow entry

Wil Schultz wschultz at
Mon Feb 6 21:15:06 UTC 2006

After setting up netflow this morning I have a of recurring flow that 
seems bothersome to me. I have an internal host (10.X.X.99) that 
continually attempts to hit various external hosts (AA, BB, CC, etc...) 
on seemingly random ports but always sources port udp.1204. In about 2 
hours this host has hit 155 different external hosts, some of them once 
or twice and some of them more than 10 times. Below is a sanitised 10 
minute output.

11:41:37.031    0.000 UDP  10.XX.XX.99:1204  ->    
AA.AA.AA.AA:46299       (RoadRunner, VA US)
11:42:07.032    0.000 UDP  10.XX.XX.99:1204  ->    
BB.BB.BB.BB:15989         (Comcast, MI US)
11:42:37.096    0.000 UDP  10.XX.XX.99:1204  ->    
CC.CC.CC.CC:52566       (Comcast, IL US)
11:43:17.204    0.000 UDP  10.XX.XX.99:1204  ->    DD.DD.DD.DD:47756 
      (Adelphia, CA US)
11:45:27.521    0.000 UDP  10.XX.XX.99:1204  ->    EE.EE.EE.EE:20797     
11:46:07.685    0.000 UDP  10.XX.XX.99:1204  ->    FF.FF.FF.FF:21363    
       (Surrey UK)
11:48:47.991    0.000 UDP  10.XX.XX.99:1204  ->    GG.GG.GG.GG:48324     

Interestingly enough, I've checked to see if this seemingly random port 
was actually listening and each of the 15-20 hosts I've checked are all 
listening on their port, i.e. AA.AA.AA.AA has udp.46299 open while 
BB.BB.BB.BB has udp.15989 open. When a host was contacted multiple times 
the "random" dstport is always the same.

Anyone have any clue on to what could be going on here?


More information about the NANOG mailing list