port 411 is the standard port for direct connect, and matsrob... is the hub
address. You can block the hub address :D
On Wed, May 14, 2003 at 09:56:22AM +0200, Andres Taylor wrote:
> Hi folks!
>
> I have this weird problem. Every 5 minutes, someone is sending me one or
> two strange packets.
>
> Snort logs it like this:
> 05/14-09:47:30.457304 [**] [1:525:4] BAD TRAFFIC udp port 0 traffic
> [**] [Classification: Misc activity] [Priority: 3] {UDP} x.x.x.x:411 ->
> y.y.y.y:0
>
> And a tcpdump looks like this:
>
> tcpdump -N -s0 -vvv -X host y.y.y.y
>
> 09:42:29.589114 XXX.411 > YYY.0: [udp sum ok] udp 32 (ttl 116, id 9148,
> len 60)
> 0x0000 4500 003c 23bc 0000 7411 97f6 d9d2 20ac E..<#...t.......
> 0x0010 d91f b760 019b 0000 0028 2250 2455 7020 ...`.....("P$Up.
> 0x0020 6d61 7473 726f 6220 726f 6265 7274 736f matsrob.robertso
> 0x0030 6e2e 6e6f 2d69 702e 636f 6d7c n.no-ip.com|
>
> Now the weird problem is that I can't for my life block these packets!
> I've tried blocking them like this:
> iptables -I INPUT -s y.y.y.y -j DROP
> And the same for OUTPUT and FORWARD, and I've tried blocking on UDP port
> 0, but they still come in.
>
> I see them with snort, even when the interface is not in promiscious
> mode. What can I do? I'm stuck.
>
> Cheers,
>
> Andrés
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Attachment:
pgptGcbrq7LNg.pgp
Description: PGP signature