Security Basics mailing list archives
Re: Tons of Source port 80 to random Dest Port Traffic
From: Tadej <tadej.securityfocus () gmail com>
Date: Tue, 13 Jun 2006 13:11:08 +0200
That's a little late, but I hope it might help in understanding the case. It has nothing to do with portscan, you are a victim of a DDoS attack. I checked some of the sources in your logs. They all run http server on standard port TCP/80. They are sending you SYN/ACKs. So what is going on? Somebody is sending SYN packets to all of this web servers. Source IP of these packets is spoofed, and packets look like they are coming from your IP. So web server receives a SYN packet, and replies with a SYN/ACK. And that is what you're getting. This is some kind of "smurf attack" http://en.wikipedia.org/wiki/Smurf_attack, only instead od ICMP it uses TCP packets. You can find very nice article about similar attack to grc.com on http://www.grc.com/dos/drdos.htm. Since it is spoofed, this kind of attack is very hard to investigate and stop. The best solution I can think about is if you could contact your ISP and asked them to filter all incoming traffic from source port TCP/80 to your IP. But then you would lost all legitimate http traffic :-( (alternatively you could use some web proxy for http traffic, until the attack stops). Regards, Tadej on 06/08/2006 03:42 PM Tom Hayden said the following:
As a resolution to the above issue: The traffic continues, however after further investigation it is nothing more than portscan traffic. I'm not 100% positive but I'm williing to bet there is some kind of vulnerability in the specific consumer equipment and it is seeking out new targets randomly. -- Tom Hayden On 6/2/06, Deapesh Misra <deapesh () gmail com> wrote:Hi, On 5/18/06, Tom Hayden <haydenth () msu edu> wrote:Attached is a quick short summary of traffic my server ( xx.xx.xx.xx ) has been bombarded with lately. It's a short dump from tethereal. I can't seem to figure it out - just tons and tons of traffic coming from a source port of 80 to seemingly random dest. ports. Can someone help me identify this?I would like to know if the problem was resolved or not and the learnings from that. It seems to be interesting !! thanks, Deapesh.
Current thread:
- Re: Tons of Source port 80 to random Dest Port Traffic Tom Hayden (Jun 09)
- Re: Tons of Source port 80 to random Dest Port Traffic Tadej (Jun 13)