Security Basics mailing list archives

Re: Tons of Source port 80 to random Dest Port Traffic

From: "Tom Hayden" <haydenth () msu edu>
Date: Sun, 21 May 2006 18:27:55 -0400

Matthew,

Thanks for looking at the traffic. At first, I was thinking a similar
thing that you were, but this is where I get kind of baffled.

Q1: Ethereal yields *no* outgoing traffic.  Additionally, the traffic
I sent earlier continues.  There are about 5-10 different IP's (all
from the same consumer DSL equipment) that have a src port of 80 and a
constant dest. port.  For example. The host 211.7.246.248 *always*
sends a src 80 dest 3509 SYN,ACK packet.
Q2: Host is not a proxy, just a firewalled webserver with only port 80
and 25 open.

Cheers,

Tom

On 5/20/06, Mathew Benwell <mjbenny () internode on net> wrote:


 Hi Tom,

 I have had a quick look at the ip addresses and on first glance they seem
to be consumer dsl services.

 Q1. Are there any SYN packets in the capture heading in the other direction
to the same hosts on the same port combination?
 Q2. Is this host a proxy server?

 If its legitimate traffic:
 The SYN, ACK is the first reply packet when attempting to establish a TCP
session after the original SYN packet. This would suggest that the first
packet originated from your host. The static source port of 80 also suggests
that the traffic originated from your host, probably trying to access a web
server. Becuase of the way tcp works, there is always a need for a return
port for traffic coming back to your host. This port is almost always a
random port above 1024, which if you get enough packet captures you will
notice that it usually increments upwards. This is what the packet would
suggest if the world was all rosey.

 If I were suspicious of the traffic (Which I am atm):
 From Q1, Q2, If the host is not a proxy server and there are SYN packets.
This could mean:
     a). You have been compromised by a trojan/virus on the host which is
trying to call home/propogate.
     b). Your host may be compromised and it is launching attacks against
other hosts. Maybe a particular make and model of DSL router.
 From Q1, if there were no SYN packets, it could be a DDoS

 A more accurate idea could be gained from more packets from the
conversation. e.g. the full SYN, SYN ACK, ACK as well as any packets from
the same session.

 Anyway, not trying to alarm you, but I hope that helps.

 Cheers
 Mat


 Tom Hayden wrote:
Attached is a quick short summary of traffic my server ( xx.xx.xx.xx )
 has been bombarded with lately.  It's a short dump from tethereal.  I
 can't seem to figure it out - just tons and tons of traffic coming
 from a source port of 80 to seemingly random dest. ports.  Can someone
 help me identify this?

 Thanks!

 --
 Tom

________________________________

 0.000000 205.179.98.153 -> xx.xx.xx.xx TCP www > 1088 [SYN, ACK] Seq=0
Ack=1 Win=4096 Len=0 MSS=1024
 0.156106 205.179.163.118 -> xx.xx.xx.xx TCP www > 1501 [SYN, ACK] Seq=0
Ack=1 Win=4096 Len=0 MSS=1024
 0.623511 205.179.12.122 -> xx.xx.xx.xx TCP www > 3041 [SYN, ACK] Seq=0
Ack=1 Win=4096 Len=0 MSS=1024
 0.643203 65.217.140.2 -> xx.xx.xx.xx TCP www > 3198 [SYN, ACK] Seq=0 Ack=1
Win=4096 Len=0 MSS=1024
 0.994720 66.89.134.52 -> xx.xx.xx.xx TCP www > 1562 [SYN, ACK] Seq=0 Ack=1
Win=4096 Len=0 MSS=1024
 1.345049 205.179.149.129 -> xx.xx.xx.xx TCP www > 1944 [SYN, ACK] Seq=0
Ack=1 Win=4096 Len=0 MSS=1024
 1.851040 12.100.155.209 -> xx.xx.xx.xx TCP www > 4062 [SYN, ACK] Seq=0
Ack=1 Win=4096 Len=0 MSS=1024
 2.818835 12.102.14.52 -> xx.xx.xx.xx TCP www > 4813 [SYN, ACK] Seq=0 Ack=1
Win=4096 Len=0 MSS=1024
 3.704693 64.0.131.17 -> xx.xx.xx.xx TCP www > 3444 [SYN, ACK] Seq=0 Ack=1
Win=4096 Len=0 MSS=1024
 3.861277 12.102.14.94 -> xx.xx.xx.xx TCP www > 4863 [SYN, ACK] Seq=0 Ack=1
Win=4096 Len=0 MSS=1024
 4.583619 209.114.238.97 -> xx.xx.xx.xx TCP www > 3798 [SYN, ACK] Seq=0
Ack=1 Win=4096 Len=0 MSS=1024
 4.594220 66.89.134.50 -> xx.xx.xx.xx TCP www > 1560 [SYN, ACK] Seq=0 Ack=1
Win=4096 Len=0 MSS=1024
 5.270704 12.102.56.76 -> xx.xx.xx.xx TCP www > 4400 [SYN, ACK] Seq=0 Ack=1
Win=4096 Len=0 MSS=1024
 6.319898 209.114.245.90 -> xx.xx.xx.xx TCP www > 1678 [SYN, ACK] Seq=0
Ack=1 Win=4096 Len=0 MSS=1024
 6.545658 211.7.246.248 -> xx.xx.xx.xx TCP www > 3509 [SYN, ACK] Seq=0 Ack=1
Win=1024 Len=0 MSS=512 TSV=4157351006 TSER=42941574 WS=0
 6.584370 64.93.0.193 -> xx.xx.xx.xx TCP www > 3371 [SYN, ACK] Seq=0 Ack=1
Win=4096 Len=0 MSS=1024
 6.685362 12.98.248.241 -> xx.xx.xx.xx TCP www > 2672 [SYN, ACK] Seq=0 Ack=1
Win=4096 Len=0 MSS=1024

 ________________________________

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.392 / Virus Database: 268.6.1/344 - Release Date: 19/05/2006

Current thread:

Tons of Source port 80 to random Dest Port Traffic Tom Hayden (May 20)
- Re: Tons of Source port 80 to random Dest Port Traffic Mathew Benwell (May 23)
- Message not available
  - Re: Tons of Source port 80 to random Dest Port Traffic Tom Hayden (May 23)
- RE: Tons of Source port 80 to random Dest Port Traffic David Gillett (May 23)
- Re: Tons of Source port 80 to random Dest Port Traffic ilaiy (May 23)
- Re: Tons of Source port 80 to random Dest Port Traffic Deapesh Misra (May 29)
- <Possible follow-ups>
- Re: Tons of Source port 80 to random Dest Port Traffic tico . wu (May 23)
- Re: Re: Tons of Source port 80 to random Dest Port Traffic rcarlin (May 23)
- Re: Re: Re: Tons of Source port 80 to random Dest Port Traffic terence . cornelius (May 30)