|
Incidents
Tracking down random ICMP Jan 22 2007 01:19PM Craig Chamberlain (craig chamberlain Q1Labs com) (3 replies) Re: Tracking down random ICMP Jan 23 2007 03:32PM Valdis Kletnieks vt edu (2 replies) Re: Tracking down random ICMP Jan 25 2007 12:13PM Javier Fernández-Sanguino (jfernandez germinus com) (1 replies) Re: Tracking down random ICMP Jan 25 2007 05:20PM Valdis Kletnieks vt edu (2 replies) DoS attacks using ports 31800, 31900 ? Feb 02 2007 06:27PM David Gillett (gillettdavid fhda edu) (1 replies) Re: Tracking down random ICMP Jan 23 2007 09:37PM Jose Nazario (jose monkey org) (1 replies) |
|
|
Privacy Statement |
> A certain amount of the packets that arrive at our gateway
> are blowback, remote hosts responding to traffic where an
> address in our block was forged as the source. These are
> most often ICMP Port Unreachables generated by UDP Windows
> Messenger spam, with SYN-ACKs from port 80 running a distant
> second.
>
> Within the last 24-48 hours, I've noticed something new:
> significant numbers of SYN-ACKs from port 31800, and a
> smaller number from 31900, from less than a dozen addresses
> scattered around the Internet. None of those addresses has
> yet resolved via rDNS.
<SNIP>
> IP Address Port Count
>
> 60.31.208.10 31800 3100
> 60.190.108.57 31800 3500
> 60.191.0.2 31800 26 late start
> 61.142.160.181 31800 4200
> 124.243.201.171 31800 3100
> 125.64.16.79 31800 4500
>
<SNIP>
> David Gillett
It is interesting to note that all these IP addresses are located in
the same country -China.
If you look at the port report for port 31900 from ISC SANS, it shows
a peak in the same date range you saw this happen:
http://isc.sans.org/port.html?port=31900
_____________________________
-Deapesh Misra
[ reply ]