Scan 21

This month's challenge is to make sense of a seemingly innocuous flurry of UDP packets. All submissions are due no later then 22:00 GMT, Friday, 21 June. Results will be released Friday, 28 June.

Skill Level: Intermediate


The Challenge:
On the evening of Feb 15th, three different members of the Honeynet Research Alliance received a flurry of strange UDP packets, that at first look seemed to have no apparent purpose. This month's Scan of the Month challenge is to understand the purpose of these packets. Using the Snort binary capture of one of the Honeynets, answer the following questions. The Honeynet that is scanned is on the 172.16.1.0/24 network. Also, keep in mind these packets were recorded on a system in the GMT timezone. When reviewing this binary capture on your system, it may convert the times of the packet captures to the local timezone of your system. Send all submissions to sotm@honeynet.org

Download:
0215@000-snort.log.tar.gz MD5 = 58abd0cb0cbe4c31930225dd229352a5

  1. What is the attacker attempting to achieve?
  2. How does UDP work to achieve this purpose?
  3. Why is the attacker using random src and dst UDP ports and random IP addresses?
  4. Are all the packets originating from the same machine or different ones?
  5. How can the attacker view the responses to his probes?

Bonus Question:

  1. Can the attacker fingerprint the OS of the victim systems?

The Results:
This months judging and team write-up were done by the Honeynet Research Alliance, specifically Paladion Networks' Honeynet Research team.

Writeup from the Honeynet Project / Honeynet Research Alliance
Paladion Networks

Writeup from the Security Community.

Best Entry

Dave Turner

Next 10 Entries

Curtis Sloan

Ian Cuthbertson
Javier Fernández-Sanguino Peña

Raul Siles
Nikolay Sturm

David Long

Justin Wright
Marek Gutkowski
Bo Adler
Dan MacDonald

The Honeynet Project