Incidents
Tracking down random ICMP Jan 22 2007 01:19PM
Craig Chamberlain (craig chamberlain Q1Labs com) (3 replies)
Re: Tracking down random ICMP Feb 02 2007 11:25PM
Frank Knobbe (frank knobbe us)
Re: Tracking down random ICMP Jan 23 2007 03:32PM
Valdis Kletnieks vt edu (2 replies)
Re: Tracking down random ICMP Jan 25 2007 12:13PM
Javier Fernández-Sanguino (jfernandez germinus com) (1 replies)
Re: Tracking down random ICMP Jan 25 2007 05:20PM
Valdis Kletnieks vt edu (2 replies)
DoS attacks using ports 31800, 31900 ? Feb 02 2007 06:27PM
David Gillett (gillettdavid fhda edu) (1 replies)
Re: DoS attacks using ports 31800, 31900 ? Feb 06 2007 03:36PM
Deapesh Misra (deapesh gmail com)
On 2/2/07, David Gillett <gillettdavid (at) fhda (dot) edu [email concealed]> wrote:
> A certain amount of the packets that arrive at our gateway
> are blowback, remote hosts responding to traffic where an
> address in our block was forged as the source. These are
> most often ICMP Port Unreachables generated by UDP Windows
> Messenger spam, with SYN-ACKs from port 80 running a distant
> second.
>
> Within the last 24-48 hours, I've noticed something new:
> significant numbers of SYN-ACKs from port 31800, and a
> smaller number from 31900, from less than a dozen addresses
> scattered around the Internet. None of those addresses has
> yet resolved via rDNS.

<SNIP>

> IP Address Port Count
>
> 60.31.208.10 31800 3100
> 60.190.108.57 31800 3500
> 60.191.0.2 31800 26 late start
> 61.142.160.181 31800 4200
> 124.243.201.171 31800 3100
> 125.64.16.79 31800 4500
>
<SNIP>

> David Gillett

It is interesting to note that all these IP addresses are located in
the same country -China.

If you look at the port report for port 31900 from ISC SANS, it shows
a peak in the same date range you saw this happen:
http://isc.sans.org/port.html?port=31900

_____________________________
-Deapesh Misra

[ reply ]
Attempted FTP intrusion Jan 31 2007 05:43PM
David Gillett (gillettdavid fhda edu) (1 replies)
Re: Attempted FTP intrusion Jan 31 2007 10:09PM
Tillmann Werner (tillmann werner gmx de)
Re: Tracking down random ICMP Jan 23 2007 09:37PM
Jose Nazario (jose monkey org) (1 replies)
Re: Tracking down random ICMP Jan 24 2007 01:05AM
Bojan Zdrnja (bojan zdrnja gmail com) (1 replies)
Re: Tracking down random ICMP Feb 09 2007 12:17AM
Jean-Baptiste Marchand (jbm lists gmail com)
Re: Tracking down random ICMP Jan 23 2007 03:50AM
Kyle Maxwell (krmaxwell gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus