On Fri, 24 Oct 1997, Michael Ferioli wrote:
Sure that's it's not just a traceroute someone is doing on you?
traceroute defaults on port=33434 + (hop * q), where q is the number of
queries specified with traceroute and hop the amount of hops that you are
away from the host that traceroutes you. Traceroute uses UDP and waits
for a ICMP port unreachable message from whichever host that has no more
time to live for the packet. If no ICMP message returns traceroute
usually prints a * and goes on and increases the ttl in hopes that it will
get a reply. It also increases the port as each query represents a port
higher than the last query. If you are for example filtering UDP ports
and have the packets drop, a traceroute will never get a ICMP reply and
thus keeps trying usually until a maximum hops of 30 (by default on my
FreeBSD system), where it stops. I'm not sure if this is the scenario but
it's just an idea of what could be happening. If your observed udp scan
goes from 33440 through 33524 instead (maybe there was 4 more) then a
traceroute with 3 queries per hop could hold true, with the remote host
being 2 hops away, and you not giving back a ICMP port unreach message.
*shrug* hope I didn't bore you with my brainstorm...
> Lately I've been getting a lot of UDP port scanning.
> Specifically: 33440 through 33520. When asked,
> one admin told me that it was his firewall that
> was doing it. Now I'm getting this from multiple
> sources. Any thoughts?