Lots of UDP traffic from Internet, why?

Answered Question
Jul 20th, 2009

One of my computer behind the ASA 5505 is

receiving lots of UDP traffice for Port# 32642 from the Internet. I think the pc is under some kind of attacks. How do I block it through the ASA 5505 ACL. Here is part of the log. Thanks for your advice.

UDP out 122.121.200.216:26028 in 192.168.103.2:32642 idle 0:00:00 flags -

UDP out 74.105.47.22:44376 in 192.168.103.2:32642 idle 0:00:00 flags -

UDP out 61.18.162.210:11198 in 192.168.103.2:32642 idle 0:00:00 flags -

UDP out 86.153.120.153:46972 in 192.168.103.2:32642 idle 0:00:00 flags -

UDP out 87.99.35.193:41842 in 192.168.103.2:32642 idle 0:00:00 flags -

UDP out 95.42.95.128:36832 in 192.168.103.2:32642 idle 0:00:00 flags -

UDP out 91.113.1.20:22934 in 192.168.103.2:32642 idle 0:00:00 flags -

UDP out 218.83.218.132:8679 in 192.168.103.2:32642 idle 0:00:01 flags -

UDP out 84.52.183.101:58947 in 192.168.103.2:32642 idle 0:00:00 flags -

UDP out 95.84.147.92:47984 in 192.168.103.2:32642 idle 0:00:01 flags -

UDP out 151.33.164.240:28052 in 192.168.103.2:32642 idle 0:00:01 flags -

UDP out 211.238.168.107:47356 in 192.168.103.2:32642 idle 0:00:01 flags -

UDP out 213.190.208.9:24330 in 192.168.103.2:32642 idle 0:00:01 flags -

UDP out 130.226.70.86:35657 in 192.168.103.2:32642 idle 0:00:01 flags -

UDP out 79.160.192.19:51413 in 192.168.103.2:32642 idle 0:00:01 flags -

UDP out 87.105.235.130:17094 in 192.168.103.2:32642 idle 0:00:02 flags -

UDP out 173.89.33.81:63152 in 192.168.103.2:32642 idle 0:00:03 flags -

UDP out 77.123.103.103:21660 in 192.168.103.2:32642 idle 0:00:03 flags -

UDP out 117.27.67.69:16881 in 192.168.103.2:32642 idle 0:00:03 flags -

UDP out 68.196.32.50:49495 in 192.168.103.2:32642 idle 0:00:03 flags -

UDP out 196.221.188.28:21937 in 192.168.103.2:32642 idle 0:00:03 flags -

UDP out 94.99.39.154:64230 in 192.168.103.2:32642 idle 0:00:03 flags -

UDP out 125.87.66.223:36291 in 192.168.103.2:32642 idle 0:00:03 flags -

UDP out 173.35.181.187:20824 in 192.168.103.2:32642 idle 0:00:03 flags -

UDP out 121.14.211.153:16001 in 192.168.103.2:32642 idle 0:00:03 flags -

UDP out 89.39.165.252:48475 in 192.168.103.2:32642 idle 0:00:03 flags -

UDP out 194.154.88.38:65068 in 192.168.103.2:32642 idle 0:00:03 flags -

UDP out 94.255.128.55:55007 in 192.168.103.2:32642 idle 0:00:04 flags -

UDP out 85.244.41.158:10007 in 192.168.103.2:32642 idle 0:00:03 flags -

UDP out 80.67.14.79:58504 in 192.168.103.2:32642 idle 0:00:04 flags -

UDP out 89.75.88.92:34759 in 192.168.103.2:32642 idle 0:00:03 flags -

UDP out 114.43.186.32:26120 in 192.168.103.2:32642 idle 0:00:03 flags -

UDP out 89.244.106.127:32901 in 192.168.103.2:32642 idle 0:00:04 flags -

UDP out 91.146.49.73:64020 in 192.168.103.2:32642 idle 0:00:04 flags -

UDP out 205.250.63.254:4041 in 192.168.103.2:32642 idle 0:00:04 flags -

UDP out 202.28.5.51:47843 in 192.168.103.2:32642 idle 0:00:04 flags -

UDP out 67.240.86.65:7569 in 192.168.103.2:32642 idle 0:00:04 flags -

UDP out 222.167.245.53:21788 in 192.168.103.2:32642 idle 0:00:04 flags -

UDP out 117.34.151.73:30538 in 192.168.103.2:32642 idle 0:00:04 flags -

I have this problem too.
0 votes
Correct Answer by Ivan Martinon about 7 years 4 months ago

looking on google for this port, it seems this PC has a P2P program called Ares, you might want to check if that is true, and if this is the case then the PC is generating those connections out to the internet and not the internet into this PC, hence you will need to block it accordingly.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Ivan Martinon Tue, 07/21/2009 - 07:18

looking on google for this port, it seems this PC has a P2P program called Ares, you might want to check if that is true, and if this is the case then the PC is generating those connections out to the internet and not the internet into this PC, hence you will need to block it accordingly.

davidwu2007 Tue, 07/21/2009 - 12:16

Thanks, It was the P2P named BitTorrent

that caused so much UDP connections.

It's much better after I removed it from that workstation.

Actions

This Discussion