Security Basics mailing list archives
Re: Tons of Source port 80 to random Dest Port Traffic
From: "Tom Hayden" <haydenth () msu edu>
Date: Sun, 21 May 2006 18:27:55 -0400
Matthew, Thanks for looking at the traffic. At first, I was thinking a similar thing that you were, but this is where I get kind of baffled. Q1: Ethereal yields *no* outgoing traffic. Additionally, the traffic I sent earlier continues. There are about 5-10 different IP's (all from the same consumer DSL equipment) that have a src port of 80 and a constant dest. port. For example. The host 211.7.246.248 *always* sends a src 80 dest 3509 SYN,ACK packet. Q2: Host is not a proxy, just a firewalled webserver with only port 80 and 25 open. Cheers, Tom On 5/20/06, Mathew Benwell <mjbenny () internode on net> wrote:
Hi Tom, I have had a quick look at the ip addresses and on first glance they seem to be consumer dsl services. Q1. Are there any SYN packets in the capture heading in the other direction to the same hosts on the same port combination? Q2. Is this host a proxy server? If its legitimate traffic: The SYN, ACK is the first reply packet when attempting to establish a TCP session after the original SYN packet. This would suggest that the first packet originated from your host. The static source port of 80 also suggests that the traffic originated from your host, probably trying to access a web server. Becuase of the way tcp works, there is always a need for a return port for traffic coming back to your host. This port is almost always a random port above 1024, which if you get enough packet captures you will notice that it usually increments upwards. This is what the packet would suggest if the world was all rosey. If I were suspicious of the traffic (Which I am atm): From Q1, Q2, If the host is not a proxy server and there are SYN packets. This could mean: a). You have been compromised by a trojan/virus on the host which is trying to call home/propogate. b). Your host may be compromised and it is launching attacks against other hosts. Maybe a particular make and model of DSL router. From Q1, if there were no SYN packets, it could be a DDoS A more accurate idea could be gained from more packets from the conversation. e.g. the full SYN, SYN ACK, ACK as well as any packets from the same session. Anyway, not trying to alarm you, but I hope that helps. Cheers Mat Tom Hayden wrote: Attached is a quick short summary of traffic my server ( xx.xx.xx.xx ) has been bombarded with lately. It's a short dump from tethereal. I can't seem to figure it out - just tons and tons of traffic coming from a source port of 80 to seemingly random dest. ports. Can someone help me identify this? Thanks! -- Tom ________________________________ 0.000000 205.179.98.153 -> xx.xx.xx.xx TCP www > 1088 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024 0.156106 205.179.163.118 -> xx.xx.xx.xx TCP www > 1501 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024 0.623511 205.179.12.122 -> xx.xx.xx.xx TCP www > 3041 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024 0.643203 65.217.140.2 -> xx.xx.xx.xx TCP www > 3198 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024 0.994720 66.89.134.52 -> xx.xx.xx.xx TCP www > 1562 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024 1.345049 205.179.149.129 -> xx.xx.xx.xx TCP www > 1944 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024 1.851040 12.100.155.209 -> xx.xx.xx.xx TCP www > 4062 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024 2.818835 12.102.14.52 -> xx.xx.xx.xx TCP www > 4813 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024 3.704693 64.0.131.17 -> xx.xx.xx.xx TCP www > 3444 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024 3.861277 12.102.14.94 -> xx.xx.xx.xx TCP www > 4863 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024 4.583619 209.114.238.97 -> xx.xx.xx.xx TCP www > 3798 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024 4.594220 66.89.134.50 -> xx.xx.xx.xx TCP www > 1560 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024 5.270704 12.102.56.76 -> xx.xx.xx.xx TCP www > 4400 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024 6.319898 209.114.245.90 -> xx.xx.xx.xx TCP www > 1678 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024 6.545658 211.7.246.248 -> xx.xx.xx.xx TCP www > 3509 [SYN, ACK] Seq=0 Ack=1 Win=1024 Len=0 MSS=512 TSV=4157351006 TSER=42941574 WS=0 6.584370 64.93.0.193 -> xx.xx.xx.xx TCP www > 3371 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024 6.685362 12.98.248.241 -> xx.xx.xx.xx TCP www > 2672 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024 ________________________________ No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.6.1/344 - Release Date: 19/05/2006
Current thread:
- Tons of Source port 80 to random Dest Port Traffic Tom Hayden (May 20)
- Re: Tons of Source port 80 to random Dest Port Traffic Mathew Benwell (May 23)
- Message not available
- Re: Tons of Source port 80 to random Dest Port Traffic Tom Hayden (May 23)
- RE: Tons of Source port 80 to random Dest Port Traffic David Gillett (May 23)
- Re: Tons of Source port 80 to random Dest Port Traffic ilaiy (May 23)
- Re: Tons of Source port 80 to random Dest Port Traffic Deapesh Misra (May 29)
- <Possible follow-ups>
- Re: Tons of Source port 80 to random Dest Port Traffic tico . wu (May 23)
- Re: Re: Tons of Source port 80 to random Dest Port Traffic rcarlin (May 23)
- Re: Re: Re: Tons of Source port 80 to random Dest Port Traffic terence . cornelius (May 30)