Security Incidents mailing list archives

Connection attempts with source port 113

From: Rainer.Ginsberg () DE BOSCH COM (Ginsberg Rainer (QI/INF4) *)
Date: Wed, 5 Jan 2000 10:00:21 +0100


Hello,

at our packet filter, I see a lot of connection attempts from various
source addresses to unused addresses of our address blocks with source
port 113. The destination port is always one of the following.

- 1124
- 1269
- 1310
- 1415
- 1455
- 1560

Sometimes it's just one packet from one source address, sometimes it's
a whole bunch from one source to different destinations.

My guess is that these are replies to SYN floods, where the attacker used
our unused addresses for spoofing.

Does anybody else see something similar? What are your conclusions? Why
would someone try to flood identd?

Regards,
Rainer

--
Rainer Ginsberg
Robert Bosch GmbH
QI/INF4, IT security
Phone: +49-711-811-31263

Current thread:

Connection attempts with source port 113 Ginsberg Rainer (QI/INF4) * (Jan 05)
- Re: Connection attempts with source port 113 daswasme () SDF LONESTAR ORG (Jan 09)