[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: UDP Port 0 not blockable



 port 411 is the standard port for direct connect, and matsrob... is the hub
address. You can block the hub address :D

On Wed, May 14, 2003 at 09:56:22AM +0200, Andres Taylor wrote:
> Hi folks!
> 
> I have this weird problem. Every 5 minutes, someone is sending me one or
> two strange packets.
> 
> Snort logs it like this:
> 05/14-09:47:30.457304  [**] [1:525:4] BAD TRAFFIC udp port 0 traffic
> [**] [Classification: Misc activity] [Priority: 3] {UDP} x.x.x.x:411 ->
> y.y.y.y:0
> 
> And a tcpdump looks like this:
> 
> tcpdump -N -s0 -vvv -X host y.y.y.y
> 
> 09:42:29.589114 XXX.411 > YYY.0:  [udp sum ok] udp 32 (ttl 116, id 9148,
> len 60)
> 0x0000   4500 003c 23bc 0000 7411 97f6 d9d2 20ac        E..<#...t.......
> 0x0010   d91f b760 019b 0000 0028 2250 2455 7020        ...`.....("P$Up.
> 0x0020   6d61 7473 726f 6220 726f 6265 7274 736f        matsrob.robertso
> 0x0030   6e2e 6e6f 2d69 702e 636f 6d7c                  n.no-ip.com|
> 
> Now the weird problem is that I can't for my life block these packets!
> I've tried blocking them like this:
> iptables -I INPUT -s y.y.y.y -j DROP
> And the same for OUTPUT and FORWARD, and I've tried blocking on UDP port
> 0, but they still come in.
> 
> I see them with snort, even when the interface is not in promiscious
> mode. What can I do? I'm stuck.
> 
> Cheers,
> 
> Andrés
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Attachment: pgprJOTwbzKXI.pgp
Description: PGP signature


Reply to: