|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Interesting netflow entry
After setting up netflow this morning I have a of recurring flow that seems bothersome to me. I have an internal host (10.X.X.99) that continually attempts to hit various external hosts (AA, BB, CC, etc...) on seemingly random ports but always sources port udp.1204. In about 2 hours this host has hit 155 different external hosts, some of them once or twice and some of them more than 10 times. Below is a sanitised 10 minute output. 11:41:37.031 0.000 UDP 10.XX.XX.99:1204 -> AA.AA.AA.AA:46299 (RoadRunner, VA US) 11:42:07.032 0.000 UDP 10.XX.XX.99:1204 -> BB.BB.BB.BB:15989 (Comcast, MI US) 11:42:37.096 0.000 UDP 10.XX.XX.99:1204 -> CC.CC.CC.CC:52566 (Comcast, IL US) 11:43:17.204 0.000 UDP 10.XX.XX.99:1204 -> DD.DD.DD.DD:47756 (Adelphia, CA US) 11:45:27.521 0.000 UDP 10.XX.XX.99:1204 -> EE.EE.EE.EE:20797 (Tokyo) 11:46:07.685 0.000 UDP 10.XX.XX.99:1204 -> FF.FF.FF.FF:21363 (Surrey UK) 11:48:47.991 0.000 UDP 10.XX.XX.99:1204 -> GG.GG.GG.GG:48324 (Israel) Interestingly enough, I've checked to see if this seemingly random port was actually listening and each of the 15-20 hosts I've checked are all listening on their port, i.e. AA.AA.AA.AA has udp.46299 open while BB.BB.BB.BB has udp.15989 open. When a host was contacted multiple times the "random" dstport is always the same. Anyone have any clue on to what could be going on here? -Wil
|