A Packet Challenge: Help us identify this traffic

Published: 2011-08-30
Last Updated: 2011-08-30 13:32:28 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Paul wrote in with some "stray packets" he detected on his home firewall against UDP port 10119. The packet appear to come from "all over" and don't look spoofed (various TTLs and IP IDs). All packets have "normal" source ports, and the TTLs suggest that they are all Windows hosts. He is seeing about a dozen packets / minute. So not a DoS, but annoying enough to notice.

Paul uses a dynamic IP address, so the obvious assumption is that this is some for of P2P afterglow from a prior user of this IP address. The question is: What kind of P2P? Is anybody able to identify it? Below you will see a quick excerpt of the traffic (source IP, source port, TTL, IP ID and the payload) 

tshark -r 10119.pcap -T fields -e ip.src -e ip.ttl -e ip.id -e data
70.171.209.146  3382    113     0xb692  0000000900000000000000000002f000139c19140000000000
14.198.249.36   2195    109     0x614b  0000000900000000000000000002f0000271e5db0000000000
83.20.76.167    21926   111     0x3f58  0000000900000000000000000002f0000137e7980000000000
74.136.209.108  53251   107     0x419e  0000000900000000000000000002f00001ffb15e0000000000
70.72.59.104    59754   116     0x433a  0000000900000000000000000002f000030f02ae0000000000
46.249.134.251  8741    111     0x2a03  0000000900000000000000000002f0000121f80e0000000000
72.189.39.53    60320   112     0x0ee8  0000000900000000000000000002f000356a1fa80000000000
76.23.146.138   56123   107     0x4859  0000000900000000000000000002f00006eb13260000000000
195.132.68.50   49312   108     0x050f  0000000900000000000000000002f0000109c9e80000000000
67.169.138.216  53355   111     0x6aed  0000000900000000000000000002f000034692cd0000000000
174.62.200.217  55644   109     0x35bc  0000000900000000000000000002f000099db30b0000000000
174.58.91.106   60308   110     0x729f  0000000900000000000000000002f000096ee2350000000000
188.193.225.7   51967   99      0x4d14  0000000900000000000000000002f00001163b7f0000000000





------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: p2p packets
3 comment(s)

Comments

This looks like a common torrent client UDP Packet from Vuze (Formerly Azureus), or possibly uTorrent if configured this way.
Like Angel said, it looks like I2P...this listens on UDP 10119.

http://forum.i2p2.de/viewtopic.php?t=385&start=15
Based on the whois of the source(residential) IP's, TTL (windows), and source ports. I am going to have to bet on P2P with modified port or anonymizer but, lean towards P2P.

Diary Archives