router stops working because of udp packets

Thomas Krause -CI- freebsd-isp at chef-ingenieur.de
Fri May 16 13:50:46 PDT 2003 

Hello,
today, Friday after work finished, our Ethernet-Ethernet router stops
forwarding packets. I was not able to log in over the network.
At the console I found that networking is not working. A tcpdump
displayed massive udp packets from on of our customers src port
1713 dst port 1434:

05/16/2003 19:00:14.781385 x.y.z.170.1713 > 79.122.10.21.1434:  udp 376
05/16/2003 19:00:14.782150 x.y.z.170.1713 > 16.137.137.128.1434:  udp 376
05/16/2003 19:00:14.783416 x.y.z.170.1713 > 150.141.172.126.1434:  udp 376
05/16/2003 19:00:14.783844 x.y.z.170.1713 > 205.160.58.42.1434:  udp 376
05/16/2003 19:00:14.784187 x.y.z.170.1713 > 59.43.151.138.1434:  udp 376
05/16/2003 19:00:14.784714 x.y.z.170.1713 > 76.38.166.145.1434:  udp 376
05/16/2003 19:00:14.785305 x.y.z.170.1713 > 25.185.92.104.1434:  udp 376
05/16/2003 19:00:14.786015 x.y.z.170.1713 > 178.116.158.27.1434:  udp 376
05/16/2003 19:00:14.787341 x.y.z.170.1713 > 72.166.154.87.1434:  udp 376
05/16/2003 19:00:14.787930 x.y.z.170.1713 > 37.41.114.136.1434:  udp 376
05/16/2003 19:00:14.788581 x.y.z.170.1713 > 142.84.69.189.1434:  udp 376
05/16/2003 19:00:14.789169 x.y.z.170.1713 > 83.182.142.184.1434:  udp 376
05/16/2003 19:00:14.789880 x.y.z.170.1713 > 4.229.249.105.1434:  udp 376
05/16/2003 19:00:14.790531 x.y.z.170.1713 > 42.233.42.241.1434:  udp 376
05/16/2003 19:00:14.791304 x.y.z.170.1713 > 128.126.251.198.1434:  udp 376
05/16/2003 19:00:14.792017 x.y.z.170.1713 > 125.128.102.124.1434:  udp 376
05/16/2003 19:00:14.792602 x.y.z.170.1713 > 134.174.163.206.1434:  udp 376
05/16/2003 19:00:14.793251 x.y.z.170.1713 > 107.136.65.162.1434:  udp 376
05/16/2003 19:00:14.793901 x.y.z.170.1713 > 188.206.247.162.1434:  udp 376

After blocking the port 1713, the bsd box routing is working normal.
(I've no access to the customers PC).

I belive the host of the customer was hacked. Does anybody know what's
running on the host? How I can prevent such attacks? There are any
kernel-options? Or should I limit the udp traffic?

BTW: 4.6.2-RELEASE-p9 is running on the router.

Regards,
Thomas.

More information about the freebsd-isp mailing list