Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Port 7000 (Apple File Share) DoS/DDoS underway

From: Christine Kronberg <Christine_Kronberg () genua de>
Date: Wed, 22 Sep 2004 09:03:57 +0200 (CEST)
On Mon, 20 Sep 2004, David Gillett wrote:


 A handful of machines, nowhere near me (network prefixes
218, 211, and 61) seem to be sending a mix of SYN-ACK and
RST packets, all with a source port of 7000, to assorted
(random) addresses in my public Class B range.


  I have seen the very same for a longer period of time. But
  the "scanning" was by not alway random. Sometimes a customers
  entire /16 network was scanned, sometimes only two hosts
  were the targets.


 I expect this means that someone is spoofing random source
addresses -- many of them in my range, but who knows how many
in others... -- and ports and SYN-flooding those half-dozen
machines.


  Out of curiosity I scanned the sending host with nmap (from
  my own computer) just to find (after an endless time) nearly
  any port open. I remember have read something about but forgot
  about the details.
  My explanation was/is, that the host sending these packets
  (was indeed in most cases the same IP) was owned and "opened"
  for scanning by whoever wanted to do that.
  If someone can come up with a better explanation I'd love
  to hear it. :-)

  Cheers,


                                             Chris Kronberg.


--
GeNUA mbH
Previous By Date Next
Previous By Thread Next

Current thread: