- Use Case Reference : SUC011
- Use Case Title : Activities on 6250/UDP destination port
- Use Case Detection : Firewall / IDS
- Targeted Attack : N/A
- Identified tool(s) : BitTorrent clients
- Source IP(s) : Random
- Source Countries : Random
- Source Port(s) : Random
- Destination Port(s) : 62550/UDP
Payload example :
000 : 64 31 3A 61 64 32 3A 69 64 32 30 3A AC 41 FC A5 d1:ad2:id20:.A..010 : 70 55 ED 54 F8 0A 70 A8 C0 A0 DB D9 55 69 BE 5A pU.T..p…..Ui.Z020 : 65 31 3A 71 34 3A 70 69 6E 67 31 3A 74 34 3A B8 e1:q4:ping1:t4:.030 : 8F 00 00 31 3A 76 34 3A 55 54 48 38 31 3A 79 31 …1:v4:UTH81:y1040 : 3A 71 65 :qe
Possible(s) correlation(s) :
- P2P BitTorrent DHT Queries for Trackerless Torrents
Source(s) :
These activities are real false positives if they match the “d1:ad2:id20” UDP content. You could ignore them, and also to no more receive these kind of activities we recommend you to block ICMP response on your servers.
