My next class:
LINUX Incident Response and Threat HuntingOnline | Japan Standard TimeOct 21st - Oct 26th 2024

Teredo request for packets

Published: 2010-02-16. Last Updated: 2010-02-16 14:52:33 UTC
by Jim Clausing (Version: 1)
1 comment(s)

We got an e-mail today from Rick about some really odd UDP traffic he was seeing.  We took a look and it looked like Teredo keep-alive traffic (IPv6 tunnels), but Rick wasn't running Teredo.  It got some of the handlers wondering, so we're going to ask for packets from those of you who are NOT running Teredo (we don't really want to see your traffic, we're looking for anymore of these weird, apparently misdirected, packets).  So, for those that are willing, could you run the following tcpdump command and upload the results to the contact page?  We'll post our analysis in a week or two, if we can figure anything out.  Thanx in advance.

tcpdump -c100 -s0 -i any -w /tmp/teredo udp port 3544

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org
SEC 503 coming to central OH beginning 22 Feb, see here

Keywords: IPv6 teredo
1 comment(s)
My next class:
LINUX Incident Response and Threat HuntingOnline | Japan Standard TimeOct 21st - Oct 26th 2024

Comments

Looks like most of my UDP/3544 traffic is destined for Microsoft owned Ip addresses
ex.
65.55.158.80/3544
65.55.158.81/3544
65.55.158.116/3544
65.55.158.117/3544

Diary Archives