Re: [squid-users] lots of UDP connections

From: Chad Naugle <Chad.Naugle_at_travimp.com>
Date: Fri, 03 Jun 2011 09:16:55 -0400

Check the hostname of these IP addresses. They could be DNS replies,
using random ports for source/destinations. Squid can generate tons of
DNS traffic.

>>> Bal Krishna Adhikari <balkrishna_at_subisu.net.np> 6/3/2011 6:13 AM
>>>
Hello,

I found a lot of UDP connections that is coming to my proxy servers.
I don't find the cause of such one-way traffics to my servers.
The sample UDP traffic is as :-

14:00:07.506612 IP 41.209.69.146.10027 > x.x.x.x.65453: UDP, length 30
14:00:07.518118 IP 121.218.37.254.41597 > x.x.x.x.64338: UDP, length
30
14:00:07.572559 IP 85.224.143.193.29978 > x.x.x.x.62782: UDP, length
30
14:00:07.596554 IP 183.87.200.42.36895 > x.x.x.x.15786: UDP, length 30
14:00:07.642820 IP 180.215.37.96.49977 > x.x.x.x.49458: UDP, length 30
14:00:07.653055 IP 117.195.138.64.24314 > x.x.x.x.44985: UDP, length
33
14:00:07.739963 IP 82.31.238.101.50534 > x.x.x.x.52750: UDP, length 30
14:00:07.783452 IP 86.83.107.196.41870 > x.x.x.x.62782: UDP, length 30
14:00:07.809677 IP 94.246.23.15.59003 > x.x.x.x.27462: UDP, length 30
14:00:07.837415 IP 75.156.164.147.49398 > x.x.x.x.34847: UDP, length
30
14:00:07.841668 IP 82.8.212.242.25931 > x.x.x.x.24869: UDP, length 30
14:00:07.841697 IP 89.136.112.99.42182 > x.x.x.x.52750: UDP, length 30
14:00:07.854215 IP 99.191.156.208.18162 > x.x.x.x.64338: UDP, length
30
14:00:07.885386 IP 88.147.72.252.60224 > x.x.x.x.19151: UDP, length 30
14:00:07.960841 IP 68.169.185.192.63480 > x.x.x.x.58638: UDP, length
30
14:00:08.071763 IP 79.113.242.42.31998 > x.x.x.x.33995: UDP, length 30
14:00:08.078260 IP 94.202.49.109.61957 > x.x.x.x.26071: UDP, length 67
14:00:08.101495 IP 82.169.68.179.19605 > x.x.x.x.45682: UDP, length 30
14:00:08.113238 IP 86.99.42.7.15086 > x.x.x.x.11706: UDP, length 67
14:00:08.127979 IP 62.195.70.253.45266 > x.x.x.x.37050: UDP, length 30
14:00:08.163992 IP 2.82.207.195.38343 > x.x.x.x.26680: UDP, length 30
14:00:08.183453 IP 68.81.206.57.25923 > x.x.x.x.18378: UDP, length 30
14:00:08.237689 IP 108.120.241.254.47249 > x.x.x.x.39433: UDP, length
30
14:00:08.256906 IP 99.161.157.254.41719 > x.x.x.x.26680: UDP, length
30
14:00:08.291885 IP 121.136.175.247.12577 > x.x.x.x.16485: UDP, length
67
14:00:08.315427 IP 121.144.158.120.30845 > x.x.x.x.61415: UDP, length
30
14:00:08.317404 IP 115.117.219.18.25817 > x.x.x.x.59936: UDP, length
30

Anyone has any idea if the traffic is genuine or some kind of attack ?
x.x.x.x is my proxy server.

--- Bal Krishna

Travel Impressions made the following annotations
-------------------------------------------------------------
"This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use, or distribution of
the information included in this message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you."
Received on Fri Jun 03 2011 - 13:17:14 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 04 2011 - 12:00:01 MDT