Educause Security Discussion mailing list archives

Re: Any ideas?

From: Paul Dokas <dokas () CS UMN EDU>
Date: Mon, 19 Jan 2004 23:12:32 -0600

On Mon, 19 Jan 2004 22:20:04 -0600, Paul Dokas <dokas () CS UMN EDU> wrote:

On Mon, 19 Jan 2004 16:27:15 -0500, "Piscitello, Frank" <frank () WCUPA EDU> wrote:

I have what I'm assuming is a worm/scanner that is attempting to connect
to 68.202.199.235 on port 6667. The mystery is that the source IP seems
to be every address on my one student subnet. The IP packet is 60bytes
and the Frame is 74 bytes. There is no actual data.

Any ideas?
-Frank


Spoofed SYN flood.  I know because I've got one in my dorms that's attacking
random cable modems even as I type this.  I also had a large outbound SYN
flood against 68.202.199.235 earlier tonight.

I'm still attempting to track down the offending host on my network.

Paul



Following up my own email.  I found the machine that was the source of about
6 hours worth of SYN floods tonight.  Here's an NMAP:

 (The 65526 ports scanned but not shown below are in state: closed)
 PORT      STATE    SERVICE       VERSION
 135/tcp   open     msrpc         Microsoft Windows msrpc
 139/tcp   open     netbios-ssn
 445/tcp   open     microsoft-ds  Microsoft Windows XP microsoft-ds
 559/tcp   open     teedtap
 1025/tcp  open     msrpc         Microsoft Windows msrpc
 5000/tcp  open     upnp          Microsoft Windows UPnP
 13614/tcp open     unknown
 Device type: general purpose
 Running: Microsoft Windows 95/98/ME|NT/2K/XP
 OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Professional or Advanced Server, or Windows XP

Neither 559/TCP or 13614/TCP responded in any appreciable way when poked.

To find this machine, I had to resort to downing each IP address on the
subnet and checking to see if the traffic went away.  I can not find
any obvious method of communication that this host might have been involved
in that triggered the DoS attacks.  The only guess that I've got at this
time is a bunch of inbound SYN packets to 1286/TCP on this machine and
corresponding RST packets (possibly a heartbeat?)

Paul
--
Paul Dokas                                            dokas () cs umn edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Any ideas? Piscitello, Frank (Jan 19)
- <Possible follow-ups>
- Re: Any ideas? Cam Beasley, ISO (Jan 19)
- Re: Any ideas? Christopher Condie (Jan 19)
- Re: Any ideas? Piscitello, Frank (Jan 19)
- Re: Any ideas? Matthew Keller (Jan 19)
- Re: Any ideas? Clyde Hoadley (Jan 19)
- Re: Any ideas? Piscitello, Frank (Jan 19)
- Re: Any ideas? Cam Beasley, ISO (Jan 19)
- Re: Any ideas? Paul Dokas (Jan 19)
- Re: Any ideas? Paul Dokas (Jan 19)