• Use Case Reference : SUC011
  • Use Case Title : Activities on 6250/UDP destination port
  • Use Case Detection : Firewall / IDS
  • Targeted Attack : N/A
  • Identified tool(s) : BitTorrent clients
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 62550/UDP
Payload example :
000 : 64 31 3A 61 64 32 3A 69 64 32 30 3A AC 41 FC A5   d1:ad2:id20:.A..
010 : 70 55 ED 54 F8 0A 70 A8 C0 A0 DB D9 55 69 BE 5A   pU.T..p…..Ui.Z
020 : 65 31 3A 71 34 3A 70 69 6E 67 31 3A 74 34 3A B8   e1:q4:ping1:t4:.
030 : 8F 00 00 31 3A 76 34 3A 55 54 48 38 31 3A 79 31   …1:v4:UTH81:y1
040 : 3A 71 65                                          :qe
Possible(s) correlation(s) :
  • P2P BitTorrent DHT Queries for Trackerless Torrents

Source(s) :

These activities are real false positives if they match the “d1:ad2:id20″ UDP content. You could ignore them, and also to no more receive these kind of activities we recommend you to block ICMP response on your servers.

24 hours destination port 62550 events

24 hours destination port 62550 events

1 week destination port 62550 events

1 week destination port 62550 events

1 month destination port 62550 events

1 month destination port 62550 events

1 year destination port 62550 events

1 year destination port 62550 events

source ports repartition for destination port 62550

source ports repartition for destination port 62550

source countries repartition for destination port 62550

source countries repartition for destination port 62550