========= Update (1/6/00 10:45 EST) ============ [back] Type "A" Probes The first three UDP probes, which started my investigation, had a single character in the data field, an 'A'. The UDP port numbers were identical, 31790->31789. They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is never answered. Date Time EST Source IP (Place) Destination (Place) 1999-12-28 18:40 151.21.82.251 (Italy) to 24.88.48.47 (Atlanta, GA) 1999-12-10 18:28 152.169.145.206 ( AOL ) to 24.88.48.47 (Atlanta, GA) 1999-12-16 03:34 212.24.231.131 (Saudi Arabia) to 24.88.48.47 (Atlanta, GA) UDP packets with an empty data field, like those generated by the "nmap" scan program, do not stimulate the 1500-byte ICMP packets from an OS-9 Macintosh. Type "Double-zero" Probes (James Bond, 007, "00" -> "license to kill") I have now seen 3 UDP type "00" probes, and had another "00" probe reported from Kansas. These probes use a single UDP packet, two bytes of data (ascii zeroes) and identical UDP port numbers, 60000->2140. They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is never answered. 1999-12-20 07:04 195.229.024.212 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA) 1999-12-21 08:04 195.229.024.213 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA) *DNS name: cwa129.emirates.net.ae 1999-12-25 09:39 212.174.198.29 (Turkey) to 24.94.xxx.xxx (Wichita, Kansas) *DNS: none 1999-12-31 05:35 195.99.56.179 (Manchester, UK*) to 14.88.xx.xx (Atlanta, GA) *DNS name: manchester_nas11.ida.bt.net 2000-01-04 05:08 24.94.80.152 (Road Runner, Hawaii) to 24.94.xxx.xxx (Wichita, Kansas) *DNS name: a24b94n80client152.hawaii.rr.com 2000-01-06 04:48 195.44.201.41 (cwnet, NJ) to 24.88.xx.xxx (Atlanta, GA) *DNS name: ad11-s16-201-41.cwci.net ========== PREVIOUS INFO ============== I received UDP probe number five this afternoon (12-22-99). This one was from the same host as probe four (12/20), apparently in the Arab Emirates. The packet log and route trace are below. Note that this one has different UDP port numbers from the first three (from Italy, Duke U., and S.Africa). The UDP packet has 2 characters in the data field (the monitor was not in a mode where the data field was captured). The port numbers, 60000 and 2140, are fixed where normally these numbers are random, or one is a "well-known port" for a particular service ( < 2048). UDP Packet Header Log 16:59:37.938228 P 195.229.246.129.60000 > 24.88.26.197.2140: udp 2 (ttl 107, id 26654) Data: "00" [two ascii character zeroes] 16:59:37.940762 P 24.88.25.197 > 195.229.246.129: icmp: echo request (DF) (ttl 255, id 21938) [1500-bytes] 16:59:37.940858 P 24.88.25.197 > 195.229.246.129: icmp: 24.88.26.197 udp port 2140 unreachable (ttl 255, id 21939) Trace to Arab Emirates (Probes 4 & 5, Type "00") Start: 12/22/99 9:23:46 PM Find route from: 24.88.26.197 to: cwa129.emirates.net.ae. (195.229.246.129), Max 30 hops, 40 byte packets Host Names truncated to 32 bytes 1 24.88.26.1 (24.88.26.1 ): 33ms 15ms 17ms 2 24.88.3.21 (24.88.3.21 ): 16ms 34ms 24ms 3 24.93.64.69 (24.93.64.69 ): 14ms 18ms 18ms 4 bordercore1-serial5-1-1.atlanta. (166.48.45.245 ): 27ms 18ms 41ms 5 core4.atlanta.cw.net. (204.70.9.33 ): 23ms 26ms 16ms 6 ast-bbn2-nap.atlanta.cw.net. (204.70.10.174 ): 19ms 20ms 21ms 7 p1-0.atlanta1-nbr1.bbnplanet.net (4.0.5.202 ): 47ms 42ms 45ms 8 p4-1.vienna1-nbr3.bbnplanet.net. (4.0.5.225 ): 42ms 42ms 42ms 9 p1-0.vienna1-nbr2.bbnplanet.net. (4.0.5.45 ): 45ms 79ms 46ms 10 p3-1.nyc4-nbr2.bbnplanet.net. (4.0.3.130 ): 45ms 45ms 42ms 11 p9-0-0.nyc4-br1.bbnplanet.net. (4.0.2.161 ): 47ms 45ms 46ms 12 fa0-0-0.nyc4-cr3.bbnplanet.net. (4.1.64.54 ): 43ms 44ms 47ms 13 h1-0-0.emirates.bbnplanet.net. (4.1.73.6 ): 42ms 44ms 47ms 14 195.229.0.36 (195.229.0.36 ): 254ms 244ms 244ms 15 194.170.2.54 (194.170.2.54 ): 249ms 258ms 243ms 16 194.170.164.14 (194.170.164.14 ): 250ms 243ms 264ms 17 cwa129.emirates.net.ae. (195.229.246.129): 472ms 463ms 509ms * Trace completed 12/22/99 9:23:53 PM * I also detected 2 other normal probes as well today. I have been seeing about two total a week. For the record, here is a route trace to the origin of a previous UDP 31790-31789 probe, which leads to Saudi Arabia. Trace to Saudi Arabia (Probe 3, Type "A") Find route from: 24.88.26.197 to: 212.24.231.131 (212.24.231.131), Max 30 hops, 40 byte packets Host Names truncated to 32 bytes 1 24.88.26.1 (24.88.26.1 ): 28ms 16ms 17ms 2 24.88.3.21 (24.88.3.21 ): 15ms 15ms 14ms 3 24.93.64.69 (24.93.64.69 ): 14ms 14ms 16ms 4 24.93.64.61 (24.93.64.61 ): 15ms 14ms 14ms 5 stbrt02-stgsr01.rr.com. (24.218.188.57 ): 15ms 15ms 16ms 6 stbrt01-stbrt02.rr.com. (24.218.188.50 ): 48ms 14ms 15ms 7 vnbrt02-stbrt01.rr.com. (24.128.6.58 ): 34ms 34ms 34ms 8 vnbrt03-vnbrt02.rr.com. (24.128.6.122 ): 36ms 35ms 37ms 9 br1.tco1.alter.net. (192.41.177.248 ): 60ms 70ms 60ms 10 111.atm4-0.xr1.tco1.alter.net. (146.188.160.74 ): 66ms 49ms 66ms 11 152.63.32.194 (152.63.32.194 ): 69ms 45ms 59ms 12 115.atm7-0.tr1.lax2.alter.net. (146.188.138.146): 305ms 278ms 269ms 13 199.atm7-0.xr1.lax4.alter.net. (146.188.248.245): 319ms 303ms 293ms 14 193.atm9-0-0.gw2.lax4.alter.net. (146.188.249.25 ): 301ms 350ms 363ms 15 * * * 16 if-1-2.core1.losangeles.teleglob (207.45.223.101 ): 231ms 121ms * 17 if-6-2.core1.newyork.teleglobe.n (207.45.222.25 ): 279ms 254ms 268ms 18 * 18 if-4-3.core1.montreal.teleglobe. (207.45.223.1 ): 154ms 283ms 19 if-3-0-0.bb1.laurentides.teleglo (207.45.222.201 ): 276ms 258ms 285ms 20 if-9-0-0.bb2.laurentides.teleglo (207.45.222.170 ): 280ms 251ms 272ms 21 sauditelecom4-gw.customer.alter. (157.130.15.58 ): 771ms 21 sauditelecom2-gw.customer.alter. (157.130.14.202 ): 783ms 21 sauditelecom4-gw.customer.alter. (157.130.15.58 ): 686ms 22 gulf-int.gw.isu.net.sa. (212.26.19.62 ): 787ms 982ms 826ms 23 212.26.73.240 (212.26.73.240 ): 831ms 928ms 916ms 24 212.24.231.131 (212.24.231.131 ): 974ms 1073ms 848ms * Trace completed 12/22/99 10:47:42 PM *