Incidents
Tracking down random ICMP Jan 22 2007 01:19PM
Craig Chamberlain (craig chamberlain Q1Labs com) (3 replies)
Re: Tracking down random ICMP Feb 02 2007 11:25PM
Frank Knobbe (frank knobbe us)
Re: Tracking down random ICMP Jan 23 2007 03:32PM
Valdis Kletnieks vt edu (2 replies)
Re: Tracking down random ICMP Jan 25 2007 12:13PM
Javier Fernández-Sanguino (jfernandez germinus com) (1 replies)
Re: Tracking down random ICMP Jan 25 2007 05:20PM
Valdis Kletnieks vt edu (2 replies)
DoS attacks using ports 31800, 31900 ? Feb 02 2007 06:27PM
David Gillett (gillettdavid fhda edu) (1 replies)
A certain amount of the packets that arrive at our gateway
are blowback, remote hosts responding to traffic where an
address in our block was forged as the source. These are
most often ICMP Port Unreachables generated by UDP Windows
Messenger spam, with SYN-ACKs from port 80 running a distant
second.

Within the last 24-48 hours, I've noticed something new:
significant numbers of SYN-ACKs from port 31800, and a
smaller number from 31900, from less than a dozen addresses
scattered around the Internet. None of those addresses has
yet resolved via rDNS.

My working theory -- unless someone can suggest a better
one -- is that these handful of hosts are under a spoofed
(might or might not be distributed) DoS attack.

"Count" is roughly how many packets came to our Class B
block in 9 hours.

IP Address Port Count

60.31.208.10 31800 3100
60.190.108.57 31800 3500
60.191.0.2 31800 26 late start
61.142.160.181 31800 4200
124.243.201.171 31800 3100
125.64.16.79 31800 4500

There don't seem to have been any 31900 packets in this sample.
When I saw the 31900s, it seemed that those targets were a separate
set, and no IP address was associated with both 31800 and 31900
traffic. (I do have some captured headers that would include
them, but that was before I was really watching for them and so
the volume data wouldn't be reliable.)

4500 packets in 9 hours is about 500 an hour. If the source
addresses are spoofed at random, and this sample is for a single
Class B block, then we could guestimate that the target IP that's
putting out the SYN-ACKs is seeing about 32 million SYNs an hour,
half a million a minute, or 8000-odd per second -- that it is
managing to send SYN-ACKs for.

David Gillett

[ reply ]
Re: DoS attacks using ports 31800, 31900 ? Feb 06 2007 03:36PM
Deapesh Misra (deapesh gmail com)
Attempted FTP intrusion Jan 31 2007 05:43PM
David Gillett (gillettdavid fhda edu) (1 replies)
Re: Attempted FTP intrusion Jan 31 2007 10:09PM
Tillmann Werner (tillmann werner gmx de)
Re: Tracking down random ICMP Jan 23 2007 09:37PM
Jose Nazario (jose monkey org) (1 replies)
Re: Tracking down random ICMP Jan 24 2007 01:05AM
Bojan Zdrnja (bojan zdrnja gmail com) (1 replies)
Re: Tracking down random ICMP Feb 09 2007 12:17AM
Jean-Baptiste Marchand (jbm lists gmail com)
Re: Tracking down random ICMP Jan 23 2007 03:50AM
Kyle Maxwell (krmaxwell gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus