[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

[LUG] UDP Port 37 traffic 2010-02-08

To: Devon & Cornwall GLUG <list@xxxxxxxxxxxxx>
Subject: [LUG] UDP Port 37 traffic 2010-02-08
From: Simon Waters <simon@xxxxxxxxxxxxxx>
Date: Tue, 09 Feb 2010 14:14:34 +0000
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx

I'm seeing spurious port 37 traffic logged since "Feb 8 20:05:41" onseveral (related) IP addresses.

TCPDUMP show the content contain strings consistent with these packetsbeing related to anti-spam activity, or possibly just lost DNS traffic(since a lot of DNS traffic is now anti-spam).


Strings extracted include:

14.114.99.123.zen.spamhaus.org
157.104.20.190.zen.spamhaus.org
cps.co.uk.dsn.rfc-ignorant.org
liposuctionlaser.com.abuse.rfc-ignorant.org

My best guess is an attempted DDOS on blocklists, but I don't haveenough data.

I don't understand why it would use port 37, but the packets are fromall over, so I assume spoofed.

Anyone else seeing this? Be nice to know we aren't mangling our own DNSrequests or similar.


--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html

Follow-up: Re: [LUG] UDP Port 37 traffic 2010-02-08
- From: Gordon Henderson

Prev by Date: Re: [LUG] US Freedom
Next by Date: Re: [LUG] UDP Port 37 traffic 2010-02-08
Previous by thread: Re: [LUG] US Freedom
Next by thread: Re: [LUG] UDP Port 37 traffic 2010-02-08
Index(es):
- Date
- Thread