On Tue, 2005-11-15 at 14:29 -0500, Chris Martin wrote: > Hello list, > Today at work we found some very strange behavior on one of our servers. > This machine was spitting out several thousand fragmented UDP packets to > an IP multicast address. > The rate of packet sending was quite high, using ethereal for about 10 > minutes showed that of approximately 75,000 packets, almost 70,000 of > them where these fragmented UDP packets. They were being sent to a > 239.192.*.* which according to RFC 3171 is an Administratively Scoped > Block of IPv4 Multicast. > > This really has us scratching our heads. I was wondering if anyone here > had seen this kind of behavior before, or had any ideas as to what it > could possibly be?
A first glance guess would be simple media multicasting software of some description. Can you narrow it down beyond UDP and recognise the protocol being used ? (or can you provide a packet dump so that we can). Do you have any host based analysis of the incident ? -- With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue "He who hingeth aboot, geteth hee-haw" Victor - Still Game blog: http://reboot-robot.net sites: http://www.bsrf.org.uk - http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3
smime.p7s
Description: S/MIME cryptographic signature
