A certain amount of the packets that arrive at our gateway
are blowback, remote hosts responding to traffic where an
address in our block was forged as the source. These are
most often ICMP Port Unreachables generated by UDP Windows
Messenger spam, with SYN-ACKs from port 80 running a distant
second.

Within the last 24-48 hours, I've noticed something new:
significant numbers of SYN-ACKs from port 31800, and a
smaller number from 31900, from less than a dozen addresses
scattered around the Internet. None of those addresses has
yet resolved via rDNS.

My working theory -- unless someone can suggest a better
one -- is that these handful of hosts are under a spoofed
(might or might not be distributed) DoS attack.

"Count" is roughly how many packets came to our Class B
block in 9 hours.

IP Address Port Count

60.31.208.10 31800 3100
60.190.108.57 31800 3500
60.191.0.2 31800 26 late start
61.142.160.181 31800 4200
124.243.201.171 31800 3100
125.64.16.79 31800 4500

There don't seem to have been any 31900 packets in this sample.
When I saw the 31900s, it seemed that those targets were a separate
set, and no IP address was associated with both 31800 and 31900
traffic. (I do have some captured headers that would include
them, but that was before I was really watching for them and so
the volume data wouldn't be reliable.)

4500 packets in 9 hours is about 500 an hour. If the source
addresses are spoofed at random, and this sample is for a single
Class B block, then we could guestimate that the target IP that's
putting out the SYN-ACKs is seeing about 32 million SYNs an hour,
half a million a minute, or 8000-odd per second -- that it is
managing to send SYN-ACKs for.

David Gillett

[ reply ]