When university research is responsible for that network probe
- — 10 July, 2008 10:08
The Internet Storm Center, operated by SANS, is one of the leading sources when it comes to identifying emerging attacks against networks, through their DShield collaborative network analysis effort. Traffic spikes on network ports that are well above the normal rates of traffic flow can signify a rapidly spreading exploit or it could be a misconfigured network spewing rubbish across the rest of the Internet. One of the ISC's handlers noted a significant spike of traffic on port 7 recently and was surprised by what he found.
Traditionally, port 7 is used for echo, which replies to a source address with the packet that was just sent by it and it is a useful troubleshooting tool that can help with isolating and identifying network problems. While it has this positive use, it can also be misused by attackers to relay their attack if they forge the source of the network traffic they send to the service, effectively making a Denial of Service much simpler. For this reason it should be disabled on most systems, unless being used for trouble shooting.
When the ISC handler looked deeper into the odd network traffic, which was starting to show on some of the honeypots they managed, they discovered that the UDP traffic was originating from a Texas A&M University network block. Following the URL in the packet led to this site which explained the purpose of the network scans, for research purposes. It is theorised that the reason for the scans is to find how many systems are still responding on a service that should have been turned off long ago.
Whatever the underlying reason, at least it isn't as bad as a mismanaged crawler spewing traffic across the Internet.