Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - The scoop on the spike in UDP port 7 traffic InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The scoop on the spike in UDP port 7 traffic

Published: 2008-07-02
Last Updated: 2008-07-02 20:56:20 UTC
by Jim Clausing (Version: 1)
0 comment(s)

As I mentioned during my last shift, one of the first things I look at when I start my shift is our trends graph.  When my shift began 20 hours ago, I noticed that huge spike in traffic on port 7 (and when looking at the ascii data, noted that it was 100% UDP).  For those of you who don't remember, port 7 is the old "echo" service (anything sent to that port on a system running the service would be echo-ed back to the sender)

jac@leibnitz[518]$ fgrep echo /etc/services
echo            7/tcp
echo            7/udp

I wasn't quite sure what was going on, but I decided not to put out a call for packets right away.  So, when I get to the day job today, I notice that one of our honeypots got hit with traffic to UDP port 7 (so I had the packets without asking you, our readers).  I immediately looked at the pcaps and noticed the contents of the packet were a URL and the source was an IP at Texas A&M University.  The URL was http://irl.cs.tamu.edu/projects/sampling/service.asp.  So, I went and took a closer look at the source IPs in our dshield data and sure enough, most of the sources were IPs in the same subnet at tamu.edu.  So, apparently they are trying to find out if anyone still runs the "echo" service (and in 2008 I would hope they won't find any, since for many years we knew this could be used to DoS an innocent party and for probably at least 10 years now, best practice has been to disable it on all of your servers and routers and ...).

0 comment(s)
Diary Archives