[123619] in North American Network Operators' Group
Re: OT: Anyone seeing these sorts of probes? Port 46993 udp?
daemon@ATHENA.MIT.EDU (James Hess)
Fri Mar 12 01:31:27 2010
In-Reply-To: <001e01cac1ab$d380ea50$4401a8c0@jgbpc>
Date: Fri, 12 Mar 2010 00:31:06 -0600
From: James Hess <mysidia@gmail.com>
To: Joe <jbfixurpc@gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Well, those UDP captures appear to be BitTorrent Peer-to-Peer file
sharing traffic, or something disguised as such.
Note the "64 31 3a 61 64 32 3a 69 64 32 30 3a"
and also the textual reference to info_hash
On Fri, Mar 12, 2010 at 12:18 AM, Joe <jbfixurpc@gmail.com> wrote:
>
> Not to distract from the IPV4/IPV6 thread, but just wondering if anyone h=
as
> seen this beavior or perhaps can enlighten me to its orgin/virus/meaning?
>
> Internet Protocol, Src: 183.0.215.179 (183.0.215.179), Dst: 192.168.1.52
> (192.168.1.52)
> User Datagram Protocol, Src Port: 64514 (64514), Dst Port: 46993 (46993)
> Data (101 bytes)
>
> 0000 =A064 31 3a 61 64 32 3a 69 64 32 30 3a 49 10 78 b3 =A0 d1:ad2:id20:I=
.x.
> 0010 =A09d 3f ab 23 75 7e d4 35 d7 cf c0 13 98 bf 84 30 =A0 .?.#u~.5.....=
..0
> 0020 =A039 3a 69 6e 66 6f 5f 68 61 73 68 32 30 3a 09 61 =A0 9:info_hash20=
:.a
> 0030 =A0e1 d8 9d cf ab 6a 2e 32 e8 42 92 73 b3 41 a3 72 =A0 .....j.2.B.s.=
A.r
> 0040 =A0c7 f1 65 31 3a 71 39 3a 67 65 74 5f 70 65 65 72 =A0 ..e1:q9:get_p=
eer
> 0050 =A073 31 3a 74 38 3a 31 30 30 30 34 32 35 35 31 3a =A0 s1:t8:1000425=
51:
> 0060 =A079 31 3a 71 65 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0y1:qe
>
>
> Internet Protocol, Src: 183.0.215.179 (183.0.215.179), Dst: 192.168.1.52
> (192.168.1.52)
> User Datagram Protocol, Src Port: 64514 (64514), Dst Port: 46993 (46993)
> Data (101 bytes)
>
> 0000 =A064 31 3a 61 64 32 3a 69 64 32 30 3a 49 10 78 b3 =A0 d1:ad2:id20:I=
.x.
> 0010 =A09d 3f ab 23 75 7e d4 35 d7 cf c0 13 98 bf 84 30 =A0 .?.#u~.5.....=
..0
> 0020 =A039 3a 69 6e 66 6f 5f 68 61 73 68 32 30 3a 09 61 =A0 9:info_hash20=
:.a
> 0030 =A0e1 d8 9d cf ab 6a 2e 32 e8 42 92 73 b3 41 a3 72 =A0 .....j.2.B.s.=
A.r
> 0040 =A0c7 f1 65 31 3a 71 39 3a 67 65 74 5f 70 65 65 72 =A0 ..e1:q9:get_p=
eer
> 0050 =A073 31 3a 74 38 3a 31 30 30 30 34 32 35 35 31 3a =A0 s1:t8:1000425=
51:
> 0060 =A079 31 3a 71 65 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0y1:qe
>
> I'm seeing thousands of these per minute at one location, hundreds of uni=
que
> ip addresses. Some sort of bot net maybe?
>
>
> Thanks much
>
> Joe
>
>
>
--=20
-J
