[FUG-BR] Possível ataque em porta UDP

joao jamaicabsd jamaicabsd em gmail.com
Quarta Junho 10 09:39:03 BRT 2015


Bom dia guerreiros.
Estou verificando que no tcpdump está me mostrando muito bloqueio nas
portas UDPs de várias direções de entrada e saída.
Isso pode ser algum bloqueio de serviço meu interno ou pode ser algum
problema.

09:28:15.343074 rule 2..16777216/0(match): block in on re0:
192.168.0.53.5937 > 177.96.3.133.63877: UDP, length 169
09:28:17.363329 rule 2..16777216/0(match): block in on re0:
192.168.0.53.5937 > 177.96.3.133.63877: UDP, length 169
09:28:21.387994 rule 2..16777216/0(match): block in on re0:
192.168.0.53.5937 > 177.96.3.133.63877: UDP, length 169
09:28:24.127043 rule 2..16777216/0(match): block in on re0:
192.168.0.53.49945 > 52.5.200.216.4007: Flags [S], seq 405170770, win 8192,
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
09:28:24.636198 rule 2..16777216/0(match): block in on re0:
192.168.0.53.49945 > 52.5.200.216.4007: Flags [S], seq 405170770, win 8192,
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
09:28:25.014734 rule 2..16777216/0(match): block in on re0:
192.168.0.35.17500 > 255.255.255.255.17500: UDP, length 104
09:28:25.016388 rule 2..16777216/0(match): block in on re0:
192.168.0.35.17500 > 255.255.255.255.17500: UDP, length 104
09:28:25.016841 rule 2..16777216/0(match): block in on re0:
192.168.0.35.17500 > 192.168.0.255.17500: UDP, length 104
09:28:25.017269 rule 2..16777216/0(match): block in on re0:
192.168.0.35.17500 > 255.255.255.255.17500: UDP, length 104
09:28:25.236175 rule 2..16777216/0(match): block in on re0:
192.168.0.53.49945 > 52.5.200.216.4007: Flags [S], seq 405170770, win 8192,
options [mss 1460,nop,nop,sackOK], length 0
09:28:26.345996 rule 2..16777216/0(match): block in on re0: 192.168.0.35.68
> 255.255.255.255.67: BOOTP/DHCP, Request from 40:25:c2:2c:c6:58, length 300
09:28:32.164038 rule 2..16777216/0(match): block in on re0: 192.168.0.55.68
> 255.255.255.255.67: BOOTP/DHCP, Request from 00:30:67:f6:48:4f, length 300
09:28:34.698400 rule 2..16777216/0(match): block in on re0:
192.168.0.56.18529 > 203.106.98.175.45501: UDP, length 103
09:28:35.086970 rule 2..16777216/0(match): block in on re0:
192.168.0.55.59087 > 71.191.71.243.9673: UDP, length 18
09:28:35.087051 rule 2..16777216/0(match): block in on re0:
192.168.0.55.59087 > 188.78.152.39.49370: UDP, length 18
09:28:35.087059 rule 2..16777216/0(match): block in on re0:
192.168.0.55.59087 > 71.15.127.27.27619: UDP, length 18
09:28:35.087067 rule 2..16777216/0(match): block in on re0:
192.168.0.55.59087 > 188.4.146.194.38246: UDP, length 18
09:28:35.658213 rule 2..16777216/0(match): block in on re2:
191.184.209.45.44948 > 10.1.1.254.59087: UDP, length 28
09:28:35.859811 rule 2..16777216/0(match): block in on re2:
191.184.209.45.44948 > 10.1.1.254.59087: UDP, length 28
09:28:35.914343 rule 2..16777216/0(match): block in on re0:
192.168.0.55.59087 > 191.184.209.45.44948: UDP, length 28
09:28:36.163887 rule 2..16777216/0(match): block in on re0:
192.168.0.55.59087 > 191.184.209.45.44948: UDP, length 28
09:28:36.304257 rule 2..16777216/0(match): block in on re2:
191.184.209.45.44948 > 10.1.1.254.59087: UDP, length 28
09:28:36.569976 rule 2..16777216/0(match): block in on re0:
192.168.0.55.59087 > 191.184.209.45.44948: UDP, length 28
09:28:37.142647 rule 2..16777216/0(match): block in on re2:
191.184.209.45.44948 > 10.1.1.254.59087: UDP, length 28
09:28:37.374070 rule 2..16777216/0(match): block in on re0:
192.168.0.55.59087 > 191.184.209.45.44948: UDP, length 28
09:28:38.771448 rule 2..16777216/0(match): block in on re2:
191.184.209.45.44948 > 10.1.1.254.59087: UDP, length 28
09:28:38.986766 rule 2..16777216/0(match): block in on re0:
192.168.0.55.59087 > 191.184.209.45.44948: UDP, length 28
09:28:41.699175 rule 2..16777216/0(match): block in on re0:
192.168.0.56.18529 > 94.57.11.59.21011: UDP, length 103
09:28:41.984207 rule 2..16777216/0(match): block in on re2:
191.184.209.45.44948 > 10.1.1.254.59087: UDP, length 28

Esse é só um pequeno pedaço do tcpdump -e -nnn -i pflog0
Vale lembrar que o ftp-proxy está ouvido a 8021

Se alguém me ajudar a tirar essa dúvida eu agradeço.

-- 
João Maykon


Mais detalhes sobre a lista de discussão freebsd