========= Update (1/6/00 10:45 EST) ============ [back]

Type "A" Probes

The first three UDP probes, which started my investigation, had a single character in 
the data field, an 'A'.   The UDP port numbers were identical, 31790->31789.

They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP 
Destination_Unreachable-Port Packets.  The Echo-Request is never answered.

  Date    Time EST    Source IP   (Place)     Destination   (Place)

1999-12-28  18:40  151.21.82.251  (Italy) to 24.88.48.47 (Atlanta, GA)

1999-12-10  18:28  152.169.145.206 ( AOL ) to 24.88.48.47 (Atlanta, GA)

1999-12-16  03:34  212.24.231.131 (Saudi Arabia) to 24.88.48.47 (Atlanta, GA)

UDP packets with an empty data field, like those generated by the "nmap" scan program, 
do not stimulate the 1500-byte ICMP packets from an OS-9 Macintosh.

Type "Double-zero" Probes   (James Bond, 007, "00" -> "license to kill")

I have now seen 3 UDP type "00" probes, and had another "00" probe reported from Kansas.
These probes use a single UDP packet, two bytes of data (ascii zeroes) and identical 
UDP port numbers, 60000->2140.  They stimulate the 1500-byte ICMP Echo-Request packet 
and the normal 58-byte ICMP Destination_Unreachable-Port Packets.  The Echo-Request is 
never answered.

1999-12-20 07:04  195.229.024.212 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA)	
	
1999-12-21 08:04  195.229.024.213 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA)
                                    *DNS name: cwa129.emirates.net.ae
1999-12-25 09:39  212.174.198.29 (Turkey) to 24.94.xxx.xxx (Wichita, Kansas)
                                    *DNS: none
1999-12-31 05:35  195.99.56.179 (Manchester, UK*) to 14.88.xx.xx (Atlanta, GA)
                                    *DNS name: manchester_nas11.ida.bt.net
2000-01-04 05:08   24.94.80.152 (Road Runner, Hawaii) to 24.94.xxx.xxx (Wichita, Kansas)
                                    *DNS name: a24b94n80client152.hawaii.rr.com
2000-01-06 04:48  195.44.201.41 (cwnet, NJ) to 24.88.xx.xxx (Atlanta, GA)
                                    *DNS name: ad11-s16-201-41.cwci.net

========== PREVIOUS INFO ==============

I received UDP probe number five this afternoon (12-22-99).

This one was from the same host as
probe four (12/20), apparently in the Arab Emirates.  The packet log and route trace
are below.  Note that this one has different UDP port numbers from the first three
(from Italy, Duke U., and S.Africa). The UDP packet has 2 characters in the data field
(the monitor was not in a mode where the data field was captured). The port numbers,
60000 and 2140, are fixed where normally these numbers are random, or one is a
"well-known port" for a particular service ( < 2048).

UDP Packet Header Log

16:59:37.938228 P 195.229.246.129.60000 > 24.88.26.197.2140: udp 2 (ttl 107, id 26654)
    Data: "00"   [two ascii character zeroes]
16:59:37.940762 P 24.88.25.197 > 195.229.246.129: icmp: echo request (DF) (ttl 255, id
21938)  [1500-bytes]
16:59:37.940858 P 24.88.25.197 > 195.229.246.129: icmp: 24.88.26.197 udp port 2140
unreachable (ttl 255, id 21939)

Trace to Arab Emirates (Probes 4 & 5, Type "00")

Start: 12/22/99   9:23:46 PM  
Find route from: 24.88.26.197
             to: cwa129.emirates.net.ae. (195.229.246.129), Max 30 hops, 40 byte
packets
Host Names truncated to 32 bytes
 1 24.88.26.1                       (24.88.26.1     ):    33ms       15ms       17ms
 2 24.88.3.21                       (24.88.3.21     ):    16ms       34ms       24ms
 3 24.93.64.69                      (24.93.64.69    ):    14ms       18ms       18ms
 4 bordercore1-serial5-1-1.atlanta. (166.48.45.245  ):    27ms       18ms       41ms
 5 core4.atlanta.cw.net.            (204.70.9.33    ):    23ms       26ms       16ms
 6 ast-bbn2-nap.atlanta.cw.net.     (204.70.10.174  ):    19ms       20ms       21ms
 7 p1-0.atlanta1-nbr1.bbnplanet.net (4.0.5.202      ):    47ms       42ms       45ms
 8 p4-1.vienna1-nbr3.bbnplanet.net. (4.0.5.225      ):    42ms       42ms       42ms
 9 p1-0.vienna1-nbr2.bbnplanet.net. (4.0.5.45       ):    45ms       79ms       46ms
10 p3-1.nyc4-nbr2.bbnplanet.net.    (4.0.3.130      ):    45ms       45ms       42ms
11 p9-0-0.nyc4-br1.bbnplanet.net.   (4.0.2.161      ):    47ms       45ms       46ms
12 fa0-0-0.nyc4-cr3.bbnplanet.net.  (4.1.64.54      ):    43ms       44ms       47ms
13 h1-0-0.emirates.bbnplanet.net.   (4.1.73.6       ):    42ms       44ms       47ms
14 195.229.0.36                     (195.229.0.36   ):   254ms      244ms      244ms
15 194.170.2.54                     (194.170.2.54   ):   249ms      258ms      243ms
16 194.170.164.14                   (194.170.164.14 ):   250ms      243ms      264ms
17 cwa129.emirates.net.ae.          (195.229.246.129):   472ms      463ms      509ms
* Trace completed 12/22/99   9:23:53 PM  *

I also detected 2 other normal probes as well today.  I have been seeing about two
total a week.

For the record, here is a route trace to the origin of a previous UDP 31790-31789
probe, which leads to Saudi Arabia.

Trace to Saudi Arabia (Probe 3, Type "A")

Find route from: 24.88.26.197
             to: 212.24.231.131 (212.24.231.131), Max 30 hops, 40 byte packets
Host Names truncated to 32 bytes
 1 24.88.26.1                       (24.88.26.1     ):    28ms       16ms       17ms
 2 24.88.3.21                       (24.88.3.21     ):    15ms       15ms       14ms
 3 24.93.64.69                      (24.93.64.69    ):    14ms       14ms       16ms
 4 24.93.64.61                      (24.93.64.61    ):    15ms       14ms       14ms
 5 stbrt02-stgsr01.rr.com.          (24.218.188.57  ):    15ms       15ms       16ms
 6 stbrt01-stbrt02.rr.com.          (24.218.188.50  ):    48ms       14ms       15ms
 7 vnbrt02-stbrt01.rr.com.          (24.128.6.58    ):    34ms       34ms       34ms
 8 vnbrt03-vnbrt02.rr.com.          (24.128.6.122   ):    36ms       35ms       37ms
 9 br1.tco1.alter.net.              (192.41.177.248 ):    60ms       70ms       60ms
10 111.atm4-0.xr1.tco1.alter.net.   (146.188.160.74 ):    66ms       49ms       66ms
11 152.63.32.194                    (152.63.32.194  ):    69ms       45ms       59ms
12 115.atm7-0.tr1.lax2.alter.net.   (146.188.138.146):   305ms      278ms      269ms
13 199.atm7-0.xr1.lax4.alter.net.   (146.188.248.245):   319ms      303ms      293ms
14 193.atm9-0-0.gw2.lax4.alter.net. (146.188.249.25 ):   301ms      350ms      363ms
15     *          *          *     
16 if-1-2.core1.losangeles.teleglob (207.45.223.101 ):   231ms      121ms        *
17 if-6-2.core1.newyork.teleglobe.n (207.45.222.25  ):   279ms      254ms      268ms
18     *     
18 if-4-3.core1.montreal.teleglobe. (207.45.223.1   ):   154ms      283ms   
19 if-3-0-0.bb1.laurentides.teleglo (207.45.222.201 ):   276ms      258ms      285ms
20 if-9-0-0.bb2.laurentides.teleglo (207.45.222.170 ):   280ms      251ms      272ms
21 sauditelecom4-gw.customer.alter. (157.130.15.58  ):   771ms   
21 sauditelecom2-gw.customer.alter. (157.130.14.202 ):   783ms   
21 sauditelecom4-gw.customer.alter. (157.130.15.58  ):   686ms   
22 gulf-int.gw.isu.net.sa.          (212.26.19.62   ):   787ms      982ms      826ms
23 212.26.73.240                    (212.26.73.240  ):   831ms      928ms      916ms
24 212.24.231.131                   (212.24.231.131 ):   974ms     1073ms      848ms
* Trace completed 12/22/99   10:47:42 PM *