Also if you can capture the actual data of those packets, that could
shed some light upon their origin. They only appear to be around 30
bytes normally, so for me, that could provide a clue.
>>> Amos Jeffries <squid3_at_treenet.co.nz> 6/5/2011 3:55 AM >>>
On 05/06/11 16:55, Bal Krishna Adhikari wrote:
> On 06/04/2011 12:59 PM, Amos Jeffries wrote:
>>>>>> Bal Krishna Adhikari 6/3/2011 6:13 AM
>>>>>>
>>> Hello,
>>>
>>> I found a lot of UDP connections that is coming to my proxy
servers.
>>> I don't find the cause of such one-way traffics to my servers.
>>> The sample UDP traffic is as :-
>>>
>>> 14:00:07.506612 IP 41.209.69.146.10027> x.x.x.x.65453: UDP, length
30
>>> 14:00:07.518118 IP 121.218.37.254.41597> x.x.x.x.64338: UDP,
length
>>> 30
>>> 14:00:07.572559 IP 85.224.143.193.29978> x.x.x.x.62782: UDP,
length
>>> 30
>>> 14:00:07.596554 IP 183.87.200.42.36895> x.x.x.x.15786: UDP, length
30
>>> 14:00:07.642820 IP 180.215.37.96.49977> x.x.x.x.49458: UDP, length
30
>>> 14:00:07.653055 IP 117.195.138.64.24314> x.x.x.x.44985: UDP,
length
>>> 33
>>> 14:00:07.739963 IP 82.31.238.101.50534> x.x.x.x.52750: UDP, length
30
>>> 14:00:07.783452 IP 86.83.107.196.41870> x.x.x.x.62782: UDP, length
30
>>> 14:00:07.809677 IP 94.246.23.15.59003> x.x.x.x.27462: UDP, length
30
>>> 14:00:07.837415 IP 75.156.164.147.49398> x.x.x.x.34847: UDP,
length
>>> 30
>>> 14:00:07.841668 IP 82.8.212.242.25931> x.x.x.x.24869: UDP, length
30
>>> 14:00:07.841697 IP 89.136.112.99.42182> x.x.x.x.52750: UDP, length
30
>>> 14:00:07.854215 IP 99.191.156.208.18162> x.x.x.x.64338: UDP,
length
>>> 30
>>> 14:00:07.885386 IP 88.147.72.252.60224> x.x.x.x.19151: UDP, length
30
>>> 14:00:07.960841 IP 68.169.185.192.63480> x.x.x.x.58638: UDP,
length
>>> 30
>>> 14:00:08.071763 IP 79.113.242.42.31998> x.x.x.x.33995: UDP, length
30
>>> 14:00:08.078260 IP 94.202.49.109.61957> x.x.x.x.26071: UDP, length
67
>>> 14:00:08.101495 IP 82.169.68.179.19605> x.x.x.x.45682: UDP, length
30
>>> 14:00:08.113238 IP 86.99.42.7.15086> x.x.x.x.11706: UDP, length 67
>>> 14:00:08.127979 IP 62.195.70.253.45266> x.x.x.x.37050: UDP, length
30
>>> 14:00:08.163992 IP 2.82.207.195.38343> x.x.x.x.26680: UDP, length
30
>>> 14:00:08.183453 IP 68.81.206.57.25923> x.x.x.x.18378: UDP, length
30
>>> 14:00:08.237689 IP 108.120.241.254.47249> x.x.x.x.39433: UDP,
length
>>> 30
>>> 14:00:08.256906 IP 99.161.157.254.41719> x.x.x.x.26680: UDP,
length
>>> 30
>>> 14:00:08.291885 IP 121.136.175.247.12577> x.x.x.x.16485: UDP,
length
>>> 67
>>> 14:00:08.315427 IP 121.144.158.120.30845> x.x.x.x.61415: UDP,
length
>>> 30
>>> 14:00:08.317404 IP 115.117.219.18.25817> x.x.x.x.59936: UDP,
length
>>> 30
>>>
>>> Anyone has any idea if the traffic is genuine or some kind of
attack ?
>>> x.x.x.x is my proxy server.
>>>
>>> --- Bal Krishna
>>>
>>
>> On 04/06/11 01:16, Chad Naugle wrote:
>> > Check the hostname of these IP addresses. They could be DNS
replies,
>> > using random ports for source/destinations. Squid can generate
tons of
>> > DNS traffic.
>>
>>
>> I don't think its genuine Squid traffic. DNS, ICP and HTCP all use
a
>> fixed well-known port at one end and a rarely changing port at the
other.
>>
>> It could be anything else on the box though.
>>
>> There are a few CVE attacks this could be, two using DNS and one
HTCP.
>> If you have a Squid 2.7.STABLE8+, 3.0.STABLE23+ or 3.1.1+ you are
safe
>> from those. They are just annoying.
>>
>> If you have a Squid-3.1+ with an IPv6 address publicly advertised
this
>> could be a sign of v6 connection attempts. Several IP tunnel
protocols
>> involve UDP handshakes.
>>
>> Amos
>
> I'm currently using 2.7 STABLE9.
> And the connection seems increased then earlier.
> Blocking the UDP other then DNS and SNMP from outside can solve the
> problem ?
We can't answer that. It may not be a problem. You need to find out
what
it actually is. Blocking it will stop it doing anything, but until you
know what it is that may just be creating a different problem.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.8 and 3.1.12.2 Travel Impressions made the following annotations ------------------------------------------------------------- "This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you."Received on Mon Jun 06 2011 - 13:23:36 MDT
This archive was generated by hypermail 2.2.0 : Mon Jun 06 2011 - 12:00:02 MDT