slapper changed to udp 1812?


I might be totally off the mark here, but has slapper now changed to port
1812? This'll make it really difficult to filter, if you're using this
port for RADIUS.

I'm seing huge volumes of traffic, to what seem to be slapper infected

I see 2 infected hosts, with 2343 and 2384 unique source addresses
speaking to each of them respectively. I'm unable to do actual dumps of
the data at this stage, so if anyone could either confirm, or tell me I'm
off my rocker, would appreciate it.

I've checked a few source and destination ip's, and they all seem to be
*nix, with outdated ssl, for example:

Server: Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b
DAV/1.0.3 PHP/4.1.2 mod_perl/1.26

netflow shows:

  index: 0xc7ffff
  src IP:
  Dst IP:
  input ifIndex: 18
  output ifIndex: 24
  src port: 1812
  dst port: 1812
  pkts: 1
  bytes: 88
  IP nexthop:
  start time: Tue Oct 1 18:38:12 2002
  end time: Tue Oct 1 18:38:12 2002
  protocol: 17
  tos: 32
  src AS: 701
  dst AS:
  src masklen: 19
  dst masklen: 24
  TCP flags: 0x10
  engine type: 0
  engine id: 0



We saw this yesterday, directed at a previously infected slapper.a
(2002/udp backchannel) host on a a customer's network, and I sent the
captured info to CERT to see what they made of it.

I didn't know if it was the slapper communications channel, or one of the
triggered DDOSs from slapper.