UDP port 500 bombarding ?
UDP port 500 bombarding ?
am 27.06.2007 12:05:34 von andre rodier
Hello all !
May be I'm stupid, but I have no found answer on the net about that.
My firewall iptables log is full of lines like this one :
Drop input:IN=eth0 OUT= MAC=00:40:63:e8:5d:3d:00:17:e0:84:97:ff:08:00 SRC=69.181.11.173 DST=XX.XXX.XXX.XX LEN=812
+TOS=0x00 PREC=0x00 TTL=100 ID=42287 PROTO=UDP *SPT=500 DPT=500* LEN=792
If I do a whois request, I don't understand the result :
----
Comcast Cable Communications Holdings, Inc CCCH3-33 (NET-69-180-0-0-1) 69.180.0.0 - 69.181.255.255
Comcast Cable Communications Holdings, Inc SFBA-20 (NET-69-181-0-0-1) 69.181.0.0 - 69.181.255.255
----
No name, phone number, no abuse email, etc...
Do anybody knowns what happens ?
Thnaks.
Re: UDP port 500 bombarding ?
am 27.06.2007 13:37:05 von Burkhard Ott
Am Wed, 27 Jun 2007 11:05:34 +0100 schrieb andre:
> Hello all !
Hi,
> Drop input:IN=eth0 OUT= MAC=00:40:63:e8:5d:3d:00:17:e0:84:97:ff:08:00 SRC=69.181.11.173 DST=XX.XXX.XXX.XX LEN=812
> +TOS=0x00 PREC=0x00 TTL=100 ID=42287 PROTO=UDP *SPT=500 DPT=500* LEN=792
Looks like that somebody tries a isakmp (IPSec) connect to your host.
> If I do a whois request, I don't understand the result :
> ----
> Comcast Cable Communications Holdings, Inc CCCH3-33 (NET-69-180-0-0-1) 69.180.0.0 - 69.181.255.255
> Comcast Cable Communications Holdings, Inc SFBA-20 (NET-69-181-0-0-1) 69.181.0.0 - 69.181.255.255
> ----
> No name, phone number, no abuse email, etc...
>
> Do anybody knowns what happens ?
>
> Thnaks.
Registrant:
Comcast Corporation
1500 Market Street
Philadelphia, PA 19102
US
Domain Name: COMCAST.NET
Administrative Contact:
Administrator, Domain Registration ContactMiddleName domregadmin@COMCAST.net
Comcast Corporation
1500 Market, West Tower
Philadelphia, PA 19102
US
215-320-8774 fax: 215-564-0132
Technical Contact:
Technical Contact, Domain Reg ContactMiddleName domregtech@comcastonline.com
Comcast Corporation
1500 Market St.
9Fl West
Philadelphia, PA 19102
US
215-320-8774 fax: 215-564-0132
cheers
Re: UDP port 500 bombarding ?
am 27.06.2007 13:38:33 von Burkhard Ott
Am Wed, 27 Jun 2007 11:05:34 +0100 schrieb andre:
> Hello all !
Hi,
> Drop input:IN=eth0 OUT= MAC=00:40:63:e8:5d:3d:00:17:e0:84:97:ff:08:00 SRC=69.181.11.173 DST=XX.XXX.XXX.XX LEN=812
> +TOS=0x00 PREC=0x00 TTL=100 ID=42287 PROTO=UDP *SPT=500 DPT=500* LEN=792
seems 2 be a isakmp connect
> If I do a whois request, I don't understand the result :
> ----
> Comcast Cable Communications Holdings, Inc CCCH3-33 (NET-69-180-0-0-1) 69.180.0.0 - 69.181.255.255
> Comcast Cable Communications Holdings, Inc SFBA-20 (NET-69-181-0-0-1) 69.181.0.0 - 69.181.255.255
> ----
> No name, phone number, no abuse email, etc...
>
> Do anybody knowns what happens ?
>
> Thnaks.
Registrant:
Comcast Corporation
1500 Market Street
Philadelphia, PA 19102
US
Domain Name: COMCAST.NET
Administrative Contact:
Administrator, Domain Registration ContactMiddleName domregadmin@COMCAST.net
Comcast Corporation
1500 Market, West Tower
Philadelphia, PA 19102
US
215-320-8774 fax: 215-564-0132
Technical Contact:
Technical Contact, Domain Reg ContactMiddleName domregtech@comcastonline.com
Comcast Corporation
1500 Market St.
9Fl West
Philadelphia, PA 19102
US
215-320-8774 fax: 215-564-0132
cheers
Re: UDP port 500 bombarding ?
am 27.06.2007 13:55:18 von andre rodier
Thank you Burkhard Ott.
How you have been the whois informations ?
Andre.
Burkhard Ott wrote:
> Am Wed, 27 Jun 2007 11:05:34 +0100 schrieb andre:
>
>> Hello all !
> Hi,
>> Drop input:IN=eth0 OUT= MAC=00:40:63:e8:5d:3d:00:17:e0:84:97:ff:08:00 SRC=69.181.11.173 DST=XX.XXX.XXX.XX LEN=812
>> +TOS=0x00 PREC=0x00 TTL=100 ID=42287 PROTO=UDP *SPT=500 DPT=500* LEN=792
>
> seems 2 be a isakmp connect
>
>> If I do a whois request, I don't understand the result :
>> ----
>> Comcast Cable Communications Holdings, Inc CCCH3-33 (NET-69-180-0-0-1) 69.180.0.0 - 69.181.255.255
>> Comcast Cable Communications Holdings, Inc SFBA-20 (NET-69-181-0-0-1) 69.181.0.0 - 69.181.255.255
>> ----
>> No name, phone number, no abuse email, etc...
>>
>> Do anybody knowns what happens ?
>>
>> Thnaks.
>
> Registrant:
> Comcast Corporation
> 1500 Market Street
> Philadelphia, PA 19102
> US
>
> Domain Name: COMCAST.NET
>
> Administrative Contact:
> Administrator, Domain Registration ContactMiddleName domregadmin@COMCAST.net
> Comcast Corporation
> 1500 Market, West Tower
> Philadelphia, PA 19102
> US
> 215-320-8774 fax: 215-564-0132
>
> Technical Contact:
> Technical Contact, Domain Reg ContactMiddleName domregtech@comcastonline.com
> Comcast Corporation
> 1500 Market St.
> 9Fl West
> Philadelphia, PA 19102
> US
> 215-320-8774 fax: 215-564-0132
>
>
> cheers
Re: UDP port 500 bombarding ?
am 27.06.2007 14:27:06 von Burkhard Ott
Am Wed, 27 Jun 2007 12:55:18 +0100 schrieb andre:
> Thank you Burkhard Ott.
Don't mention it.
> How you have been the whois informations ?
> Andre.
>>> Comcast Cable Communications Holdings, Inc CCCH3-33 (NET-69-180-0-0-1) 69.180.0.0 - 69.181.255.255
>>> Comcast Cable Communications Holdings, Inc SFBA-20 (NET-69-181-0-0-1) 69.181.0.0 - 69.181.255.255
The IP is registered for comcast, so asked the whois server for comcast
and got the informations.
cheers