1. As you noted, the port is not being incremented. Linux traceroute increments the port with every packet, using 33435 for the first packet only.
2. The ttls do not change in an ordered way. Linux traceroute normally sends out 3 packets at each ttl setting, while you sometimes get 1, sometimes 2 at a setting. Also, all the ttls you report seeing are very low, suggesting that if they are traceroutes, they are many hops away (Linux traceroute by default tries up to ttl 30, which would imply a starting point 27 hops away).
3. The time spacing is fairly long (4 seconds) for traceroute packets; the default time for Linux traceroute is 0.
4. If I am reading this log's LEN fields correctly, the IP datagram is 28 bytes, smaller than the 40-byte standard for Linux traceroute.
But while those assumptions hold true for Linux traceroute (and even with it, most can be changed via command-line flags), other implementations of traceroute need not follow them. Were I to guess about this traffic, I'd suspect it is from one of those companies that say they "measure" network performance (and sell some service to optimize it). An alternative is some sort of preliminary to a DoS attack (at one packet every 4 seconds, this traffic itself is no DoS), but this seems a remote possibility. Nothing else (bsides traceroute) officially uses this port range, but I suppose some P2P service might make use of it in a traceroute-like manner.
BTW, while the source address is neither ping-able nor reverse-resolvable, I can traceroute to it. You might do so to see how many hops from you it is (it is only 17 hops from me).
At 10:25 PM 11/25/02 -0600, Arif Mamdani wrote:
I'm hoping someone on the list can give me some insight into what's going on here. At first I thought that it might be a traceroute, but I was under the impression that traceroute would increment the destination port, which isn't happening. Any assistance would be appreciated.
-arif
here's the log:
Nov 25 08:51:42 arif-host1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:50:fc:59:16:5b:00:20:e0:35:18:25:08:00 SRC=143.166.34.130 DST=209.98.2.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=UDP SPT=56849 DPT=33435 LEN=8
Nov 25 08:51:46 arif-host1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:50:fc:59:16:5b:00:20:e0:35:18:25:08:00 SRC=143.166.34.130 DST=209.98.2.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=UDP SPT=56849 DPT=33435 LEN=8
Nov 25 08:51:50 arif-host1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:50:fc:59:16:5b:00:20:e0:35:18:25:08:00 SRC=143.166.34.130 DST=209.98.2.1 LEN=28 TOS=0x00 PREC=0x00 TTL=2 ID=0 PROTO=UDP SPT=56849 DPT=33435 LEN=8
Nov 25 08:51:54 arif-host1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:50:fc:59:16:5b:00:20:e0:35:18:25:08:00 SRC=143.166.34.130 DST=209.98.2.1 LEN=28 TOS=0x00 PREC=0x00 TTL=3 ID=0 PROTO=UDP SPT=56849 DPT=33435 LEN=8
Nov 25 08:52:15 arif-host1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:50:fc:59:16:5b:00:20:e0:35:18:25:08:00 SRC=143.166.34.130 DST=209.98.2.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=UDP SPT=56850 DPT=33435 LEN=8
Nov 25 08:52:19 arif-host1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:50:fc:59:16:5b:00:20:e0:35:18:25:08:00 SRC=143.166.34.130 DST=209.98.2.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=UDP SPT=56850 DPT=33435 LEN=8
Nov 25 08:52:23 arif-host1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:50:fc:59:16:5b:00:20:e0:35:18:25:08:00 SRC=143.166.34.130 DST=209.98.2.1 LEN=28 TOS=0x00 PREC=0x00 TTL=2 ID=0 PROTO=UDP SPT=56850 DPT=33435 LEN=8
Nov 25 08:52:27 arif-host1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:50:fc:59:16:5b:00:20:e0:35:18:25:08:00 SRC=143.166.34.130 DST=209.98.2.1 LEN=28 TOS=0x00 PREC=0x00 TTL=3 ID=0 PROTO=UDP SPT=56850 DPT=33435 LEN=8
Nov 25 08:52:32 arif-host1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:50:fc:59:16:5b:00:20:e0:35:18:25:08:00 SRC=143.166.34.130 DST=209.98.2.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=UDP SPT=56850 DPT=33435 LEN=8
Nov 25 08:52:36 arif-host1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:50:fc:59:16:5b:00:20:e0:35:18:25:08:00 SRC=143.166.34.130 DST=209.98.2.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=UDP SPT=56850 DPT=33435 LEN=8
Nov 25 08:52:40 arif-host1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:50:fc:59:16:5b:00:20:e0:35:18:25:08:00 SRC=143.166.34.130 DST=209.98.2.1 LEN=28 TOS=0x00 PREC=0x00 TTL=2 ID=0 PROTO=UDP SPT=56850 DPT=33435 LEN=8
Nov 25 08:52:44 arif-host1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:50:fc:59:16:5b:00:20:e0:35:18:25:08:00 SRC=143.166.34.130 DST=209.98.2.1 LEN=28 TOS=0x00 PREC=0x00 TTL=3 ID=0 PROTO=UDP SPT=56850 DPT=33435 LEN=8
it continues on this way till 8:53:50, then starts up again at 18:24:04, and stops at 18:25:48, then starts again at 21:34:39 and finally stops at 21:52:06
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------
-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
