Could be a modification of a smurf attack, soliciting ICMP Port Unreachable
messages from your network. Early smurfs sents ICMP Echo Requests to a
broadcast address, hoping to elicit Echo Replies from a large number of hosts
to the (spoofed) victim. But as a result, many border routers are now
configured to drop ICMP traffic to broadcast addresses. The UDP smurf would
succeed where the ICMP smurf is blocked, since ICMP Port Unreachable is what
traceroute uses to discover when it has reached a high, unserved port at the
target of a trace. The same border routers that block the ICMP smurf would
likely be set to pass such traffic, so that traceroute will operate. At
least, this is what the attacker hopes.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> [EMAIL PROTECTED]
> Sent: Thursday, May 20, 1999 10:59 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: directed broadcasts to UDP ports 41524, 41530, 41508
>
>
> My filters are seeing UDP packets to ports 41524, 41530, 41508,
> directed to the all-ones broadcast IP address on my Class C network.
> I get about 17 per day from various sources.
> There is no other port scan activity from the same sources.
>
> Does anyone have any idea of what this traffic might be?
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
