Security Incidents mailing list archives

RE: client's TCP port 256 hammered by several hosts

From: "Jim Butterworth" <res0qh1m () verizon net>
Date: Fri, 7 Nov 2003 15:00:26 -0800

With just 3 headers it is hard to determine, but looks like a syn flood
from 192.168.x.x.:2056.    Youi mentioned other machines too?  You have
to figure out which application is doing it and kill the process, on
each machine.  If your server is doing it to, you might start there...
IS the victim system just a workstation?  Does the same user use it
exclusively?  Is this person unpopular?    Can you post the entire
packet capture?    

Warmest Regards,
Jim Butterworth, GCIA




-----Original Message-----
From: gerry [mailto:gerry () tituspcservice com] 
Sent: Friday, November 07, 2003 10:21 AM
To: incidents () securityfocus com
Subject: client's TCP port 256 hammered by several hosts



suddenly, one of our lan client (win2k novell client) machine's tpc port
256 is being flooded with packets from other lan pcs and our netware
(5.1) server.

anyone have an idea what would cause this or, better yet, how to
eliminate all the excess traffic.



11/04-08:31:14.843754 192.168.x.x:2056 -> 192.168.x.x:256

TCP TTL:128 TOS:0x0 ID:10634 IpLen:20 DgmLen:48 DF

******S* Seq: 0x1E6E9152  Ack: 0x0  Win: 0x2000  TcpLen: 28

TCP Options (4) => MSS: 1460 NOP NOP SackOK 



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+



11/04-08:31:14.843779 192.168.x.x:256 -> 192.168.x.x:2056

TCP TTL:128 TOS:0x0 ID:62405 IpLen:20 DgmLen:40

***A*R** Seq: 0x0  Ack: 0x1E6E9153  Win: 0x0  TcpLen: 20



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+



11/04-08:31:15.344013 192.168.x.x:2056 -> 192.168.x.x:256

TCP TTL:128 TOS:0x0 ID:11146 IpLen:20 DgmLen:48 DF

******S* Seq: 0x1E6E9152  Ack: 0x0  Win: 0x2000  TcpLen: 28

TCP Options (4) => MSS: 1460 NOP NOP SackOK 



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+



thanks in advance,

g


------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------

Current thread:

client's TCP port 256 hammered by several hosts gerry (Nov 07)
- RE: client's TCP port 256 hammered by several hosts Jim Butterworth (Nov 10)
- Re: client's TCP port 256 hammered by several hosts Harlan Carvey (Nov 10)
- Re: client's TCP port 256 hammered by several hosts Chris Brenton (Nov 10)