Security Incidents mailing list archives
RE: client's TCP port 256 hammered by several hosts
From: "Jim Butterworth" <res0qh1m () verizon net>
Date: Fri, 7 Nov 2003 15:00:26 -0800
With just 3 headers it is hard to determine, but looks like a syn flood from 192.168.x.x.:2056. Youi mentioned other machines too? You have to figure out which application is doing it and kill the process, on each machine. If your server is doing it to, you might start there... IS the victim system just a workstation? Does the same user use it exclusively? Is this person unpopular? Can you post the entire packet capture? Warmest Regards, Jim Butterworth, GCIA -----Original Message----- From: gerry [mailto:gerry () tituspcservice com] Sent: Friday, November 07, 2003 10:21 AM To: incidents () securityfocus com Subject: client's TCP port 256 hammered by several hosts suddenly, one of our lan client (win2k novell client) machine's tpc port 256 is being flooded with packets from other lan pcs and our netware (5.1) server. anyone have an idea what would cause this or, better yet, how to eliminate all the excess traffic. 11/04-08:31:14.843754 192.168.x.x:2056 -> 192.168.x.x:256 TCP TTL:128 TOS:0x0 ID:10634 IpLen:20 DgmLen:48 DF ******S* Seq: 0x1E6E9152 Ack: 0x0 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 11/04-08:31:14.843779 192.168.x.x:256 -> 192.168.x.x:2056 TCP TTL:128 TOS:0x0 ID:62405 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x1E6E9153 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 11/04-08:31:15.344013 192.168.x.x:2056 -> 192.168.x.x:256 TCP TTL:128 TOS:0x0 ID:11146 IpLen:20 DgmLen:48 DF ******S* Seq: 0x1E6E9152 Ack: 0x0 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ thanks in advance, g ------------------------------------------------------------------------ --- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- client's TCP port 256 hammered by several hosts gerry (Nov 07)
- RE: client's TCP port 256 hammered by several hosts Jim Butterworth (Nov 10)
- Re: client's TCP port 256 hammered by several hosts Harlan Carvey (Nov 10)
- Re: client's TCP port 256 hammered by several hosts Chris Brenton (Nov 10)