Interesting netflow entry

• Previous message (by thread): CAIDA analysis on CME-24/BlackWorm
• Next message (by thread): Interesting netflow entry
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

After setting up netflow this morning I have a of recurring flow that 
seems bothersome to me. I have an internal host (10.X.X.99) that 
continually attempts to hit various external hosts (AA, BB, CC, etc...) 
on seemingly random ports but always sources port udp.1204. In about 2 
hours this host has hit 155 different external hosts, some of them once 
or twice and some of them more than 10 times. Below is a sanitised 10 
minute output.

11:41:37.031    0.000 UDP  10.XX.XX.99:1204  ->    
AA.AA.AA.AA:46299       (RoadRunner, VA US)
11:42:07.032    0.000 UDP  10.XX.XX.99:1204  ->    
BB.BB.BB.BB:15989         (Comcast, MI US)
11:42:37.096    0.000 UDP  10.XX.XX.99:1204  ->    
CC.CC.CC.CC:52566       (Comcast, IL US)
11:43:17.204    0.000 UDP  10.XX.XX.99:1204  ->    DD.DD.DD.DD:47756 
      (Adelphia, CA US)
11:45:27.521    0.000 UDP  10.XX.XX.99:1204  ->    EE.EE.EE.EE:20797     
      (Tokyo)
11:46:07.685    0.000 UDP  10.XX.XX.99:1204  ->    FF.FF.FF.FF:21363    
       (Surrey UK)
11:48:47.991    0.000 UDP  10.XX.XX.99:1204  ->    GG.GG.GG.GG:48324     
  (Israel)

Interestingly enough, I've checked to see if this seemingly random port 
was actually listening and each of the 15-20 hosts I've checked are all 
listening on their port, i.e. AA.AA.AA.AA has udp.46299 open while 
BB.BB.BB.BB has udp.15989 open. When a host was contacted multiple times 
the "random" dstport is always the same.

Anyone have any clue on to what could be going on here?

-Wil

• Previous message (by thread): CAIDA analysis on CME-24/BlackWorm
• Next message (by thread): Interesting netflow entry
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]