Security Incidents mailing list archives

flood of SYN packets to port 110


From: Brian Collins <listbc () newnanutilities org>
Date: Tue, 23 Dec 2003 12:59:49 -0500

Sent this to the intrusions list, thought it would likely be worthwhile to post it here as well.

We are an ISP with 8000+ cable modem customers. About an hour ago we had a NAT box start slowing down. Checking into that problem, we discovered at least three customer machines sending anywhere from 500 to 1000 packets per second to an IP apparently belonging to a Netherlands cable modem ISP, namely 81.68.130.224, all destined for port 110, all SYN packets, length of 48 bytes. TCP sequence numbers change in what appears to be a normal fashion, source ports increment from 1025 on up to just below 5000, then start back over.

Two of the machines show as Win2k Pro to an nmap fingerprint. One showed up as a Tektronix printer, but nmap didn't get sufficient TCP responses so I'm discounting that for now. All 3 have port 113 open, which seems unusual. Two of these are in homes, one in a business.

We're Googling for similar things now. Also wondering whether any of you have seen similar traffic, might have an idea what this is. I have placed a capture of just over 200,000 bytes of this to: http://mirror.newnanutilities.org/packetdump/. I'll post more packet captures later if it seems helpful.

Thanks,
--Brian Collins
SysAdmin/NetAdmin/Security Person
Newnan Utilities

---------------------------------------------------------------------------
----------------------------------------------------------------------------


Current thread: