Re: flood of SYN packets to port 110

["Russell J. Lahti" <russell () 911 net>]

Sounds like you have a few systems that some IRC kiddies
are having fun with.  They likely had weak admin passwords,
or some other vuln.  They have 113 open so that they can
connect to IRC to be part of someone's bot-net.  They then
use the systems to do simple syn flooding to knock target
systems of people they don't like offline.  Closer
inspection of the systems will probably show this to be
the case.

Hope this helps.

-Russell

Brian Collins wrote:

> Sent this to the intrusions list, thought it would likely be worthwhile 
> to post it here as well.
>
> We are an ISP with 8000+ cable modem customers.  About an hour ago we 
> had a NAT box start slowing down.  Checking into that problem, we 
> discovered at least three customer machines sending anywhere from 500 to 
> 1000 packets per second to an IP apparently belonging to a Netherlands 
> cable modem ISP, namely 81.68.130.224, all destined for port 110, all 
> SYN packets, length of 48 bytes.  TCP sequence numbers change in what 
> appears to be a normal fashion, source ports increment from 1025 on up 
> to just below 5000, then start back over.
>
> Two of the machines show as Win2k Pro to an nmap fingerprint.  One 
> showed up as a Tektronix printer, but nmap didn't get sufficient TCP 
> responses so I'm discounting that for now.  All 3 have port 113 open, 
> which seems unusual.  Two of these are in homes, one in a business.
>
> We're Googling for similar things now.  Also wondering whether any of 
> you have seen similar traffic, might have an idea what this is.  I have 
> placed a capture of just over 200,000 bytes of this to:
> http://mirror.newnanutilities.org/packetdump/.  I'll post more packet 
> captures later if it seems helpful.
>
> Thanks,
> --Brian Collins
> SysAdmin/NetAdmin/Security Person
> Newnan Utilities
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------- 



---------------------------------------------------------------------------
----------------------------------------------------------------------------