* * * * *

                 I wonder what they think they're attacking?

In addition to a self written gopher server [1] I also have a QOTD (Quote of
the Day) server [2] accepting requests via TCP (Transmission Control
Protocol) and UDP (User Datagram Protocol). I never mentioned it as I just
put it out there to really see what would happen. I will occasionally see a
request go by, but over the past two weeks, some people have really been
hitting it hard via UDP:

Table: Requests to the UDP QOTD server (over 1000 requests)
host address    requests
------------------------------
38.21.240.153   252628
113.113.120.152 18547
148.70.95.145   11529
150.138.92.17   11400
149.248.50.17   9917
123.129.223.133 9373
222.186.49.221  8689
39.105.122.74   8261
182.150.0.73    8098
47.107.64.105   7575
101.132.44.244  5745
170.33.8.193    5566
140.249.60.227  5520
61.160.207.99   5278
47.244.154.2    5084
23.107.43.194   5067
47.101.222.141  5066
47.101.169.118  5024
47.101.68.112   4449
47.102.135.146  4325
47.75.116.41    4200
47.244.36.42    4137
104.25.221.35   3638
144.48.125.176  3440
219.234.29.229  3402
125.88.186.186  3219
47.99.152.166   3167
39.108.51.161   3166
47.101.51.117   3161
210.83.80.21    3154
47.100.96.218   3139
47.101.200.97   3137
120.79.0.221    3090
47.100.183.18   2971
39.96.31.5      2944
47.98.38.120    2758
101.132.182.251 2756
47.107.123.238  2492
139.99.16.112   2290
47.101.157.245  2258
106.14.158.7    2226
47.100.234.2    2183
47.100.201.32   2090
120.79.40.9     2047
47.100.125.115  2037
101.132.37.45   1997
120.78.5.80     1985
47.101.68.50    1950
47.96.172.52    1915
20.188.110.231  1781
106.14.137.34   1118
119.188.250.37  1095

------------------------------
host address    requests
There doesn't see to be much I can find about this, other than a potential
link to XBox Live [3], but that doesn't [4] seem right [5]. It's hard to say.
So to see what might be happening, I modified the QOTD program to record
anything it receives via UDP. That way, I should be able to figure out if
38.21.240.153 is trying to attack something, or if it really just wants an up
to-date quotes file.

[1] gopher://gopher.conman.org/0Phlog:2018/01/09.1
[2] https://www.ietf.org/rfc/rfc865.txt
[3] https://www.auditmypc.com/udp-port-17.asp
[4] https://support.xbox.com/en-US/xbox-360/networking/network-ports-used-xbox-live
[5] https://support.xbox.com/en-US/xbox-one/networking/network-ports-used-xbox-live

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.