Re: Tons of Source port 80 to random Dest Port Traffic

[Tadej <tadej.securityfocus () gmail com>]

That's a little late, but I hope it might help in understanding the case.

It has nothing to do with portscan, you are a victim of a DDoS attack.

I checked some of the sources in your logs. They all run http server on standard port TCP/80. They are sending you 
SYN/ACKs. So what is going on? Somebody is sending SYN packets to all of this web servers. Source IP of these packets 
is spoofed, and packets look like they are coming from your IP. So web server receives a SYN packet, and replies with a 
SYN/ACK. And that is what you're getting.

This is some kind of "smurf attack" http://en.wikipedia.org/wiki/Smurf_attack, only instead od ICMP it uses TCP 
packets. You can find very nice article about similar attack to grc.com on http://www.grc.com/dos/drdos.htm.

Since it is spoofed, this kind of attack is very hard to investigate and stop. The best solution I can think about is 
if you could contact your ISP and asked them to filter all incoming traffic from source port TCP/80 to your IP. But 
then you would lost all legitimate http traffic :-( (alternatively you could use some web proxy for http traffic, until 
the attack stops).

Regards,
Tadej


on 06/08/2006 03:42 PM Tom Hayden said the following:
> As a resolution to the above issue:  The traffic continues, however
> after further investigation it is nothing more than portscan traffic.
> I'm not 100% positive but I'm williing to bet there is some kind of
> vulnerability in the specific consumer equipment and it is seeking out
> new targets randomly.
>
> -- 
> Tom Hayden
>
> On 6/2/06, Deapesh Misra <deapesh () gmail com> wrote:
> > Hi,
> >
> > On 5/18/06, Tom Hayden <haydenth () msu edu> wrote:
> > > Attached is a quick short summary of traffic my server ( xx.xx.xx.xx )
> > > has been bombarded with lately.  It's a short dump from tethereal.  I
> > > can't seem to figure it out - just tons and tons of traffic coming
> > > from a source port of 80 to seemingly random dest. ports.  Can someone
> > > help me identify this?
> >
> > I would like to know if the problem was resolved or not and the
> > learnings from that. It seems to be interesting !!
> >
> > thanks,
> > Deapesh.