nanog mailing list archives
Re: Syn flood to TCP port 21 from priveleged port (80)
From: Ken Chase <math () sizone org>
Date: Tue, 1 Nov 2016 15:29:09 -0400
seeing an awful lot of port 80 hitting port 21. (Why would port 80 ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts flickering on and off as the service throttled itself at a couple client sites I manage. I see 540 unique source IPs hitting 32 destinations on my network in just 1000 packets dumped on one router. All from multiple sequential registered /24s in whois, but all from one management company: 141.138.128.0/21 and 95.131.184.0/21 role: William Hill Network Services abuse-mailbox: networkservices () williamhill co uk address: Infrastructure Services 2 City Walk Sweet Street Leeds LS11 9AR AS49061 course, synfloods can be spoofed... perhaps they're hoping for a retaliation against WHNS. /kc On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said: >Hello, > >A couple of cuts from tcpdump output: > >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S], seq 1376379765, win 8192, length 0 >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S], seq 2254756684, win 8192, length 0 >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags [S], seq 3619475318, win 8192, length 0 >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: Flags [S], seq 2412690982, win 8192, length 0 > >Does anyone seeing this right now (18:31 UTC)? I see this traffic >on at least two completely independent ISPs near Moscow. The >rate is about a few dozen PPS hitting all BGP-announced networks. > >--?? >wbr, Oleg. > >"Anarchy is about taking complete responsibility for yourself." >?? ?? ?? Alan Moore. -- Ken Chase - math () sizone org Guelph Canada
Current thread:
- Syn flood to TCP port 21 from priveleged port (80) Oleg A . Arkhangelsky (Nov 01)
- Re: Syn flood to TCP port 21 from priveleged port (80) Oleg A . Arkhangelsky (Nov 01)
- Message not available
- Re: Syn flood to TCP port 21 from priveleged port (80) Oleg A . Arkhangelsky (Nov 01)
- Message not available
- Re: Syn flood to TCP port 21 from priveleged port (80) Ken Chase (Nov 01)
- RE: Syn flood to TCP port 21 from priveleged port (80) Emille Blanc (Nov 01)
- Re: Syn flood to TCP port 21 from priveleged port (80) Selphie Keller (Nov 01)
- RE: Syn flood to TCP port 21 from priveleged port (80) Emille Blanc (Nov 01)
- Re: Syn flood to TCP port 21 from priveleged port (80) Selphie Keller (Nov 01)
- Re: Syn flood to TCP port 21 from priveleged port (80) Oleg A . Arkhangelsky (Nov 01)
- Re: Syn flood to TCP port 21 from priveleged port (80) Van Dyk, Donovan (Nov 01)
- Re: Syn flood to TCP port 21 from priveleged port (80) Ken Chase (Nov 01)
- Re: Syn flood to TCP port 21 from priveleged port (80) Selphie Keller (Nov 01)
- Re: Syn flood to TCP port 21 from priveleged port (80) Ken Chase (Nov 01)
- Re: Syn flood to TCP port 21 from priveleged port (80) Ken Chase (Nov 01)
- Re: Syn flood to TCP port 21 from priveleged port (80) Christian Kildau (Nov 02)