Hello. I observed what appeared to be a DoS attack yesterday involving UDP
packets from spoofed source addresses triggering ICMP replies. The attack
seems to have died down, but I'm still seeing the occasional UDP packet
trickle in from a probably spoofed source IP. These are different though
in that they are not causing any sort of response from the victimized
system, and all are destined for port 3593.
I haven't found anything definitive about port 3593 except for the
following usenet article which is simply someone else asking (so I'm not
alone):
<http://x26.deja.com/[ST_rn=ps]/getdoc.xp?AN=554145100>
I'm thinking that the person is looking for a trojan that does not
exist. Do any known trojans use this port? Of course, there's always the
possibility that a different trojan was configured to use 3593. But either
way, whatever trojan doesn't appear to exist on the system.
And finally... what's the best way to trace UDP packets with spoofed source
addresses? Does it always require the assistance of the ISP?
Thanks for your help.
-----------------------
Scott I. Remick [EMAIL PROTECTED]
Network and Information (802)388-7545 ext. 236
Systems Manager FAX:(802)388-3697
Computer Alternatives, Inc. http://www.computeralt.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
