Security Incidents mailing list archives
Re: TCP connections to port 1024 - DDoS?
From: Corey Merchant <cmerchant () LURHQ COM>
Date: Tue, 24 Oct 2000 13:29:21 -0400
I get these scans on two different hosts (in totally different IP ranges) from the same sources (probably spoofed) you outline below. Have been for at least a couple of weeks now. I will definitely have to sniff on these to get some more info. -- Corey Merchant Regional SOC Manager Managed, Surveillance, and Countermeasures LURHQ Corporation Information Security Specialists Mike Lewinski wrote:
I too have been seeing suspicious port 1024 traffic for a while now. It seems to come in little bursts (~ 30 seconds or less). The interesting thing is that it's only been aimed at our DNS servers, but has hit all three of them at different times. A tcpdump sample of one such incident is below (date was October 4th, times are -0600 UTC). Mike 21:39:54.098092 64.37.200.46.42959 > x.y.z.z.1024: S 21101218:21101218(0) ack 21101217 win 4128 <mss 536> 21:39:54.118927 209.249.97.40.53307 > x.y.z.z.1024: S 23688402:23688402(0) ack 23688401 win 4128 <mss 536> 21:39:54.137199 64.14.200.154.17962 > x.y.z.z.1024: S 21574057:21574057(0) ack 21574056 win 4128 <mss 536> 21:39:54.181781 216.35.167.58.43063 > x.y.z.z.1024: S 22896259:22896259(0) ack 22896258 win 4128 <mss 536> 21:39:54.235586 212.78.160.237.39914 > x.y.z.z.1024: S 17859326:17859326(0) ack 17859325 win 4128 <mss 536> 21:39:54.251895 194.205.125.26.48389 > x.y.z.z.1024: S 17290543:17290543(0) ack 17290542 win 4128 <mss 536> 21:39:54.262557 194.213.64.150.54350 > x.y.z.z.1024: S 23560990:23560990(0) ack 23560989 win 4128 <mss 556> 21:39:54.263845 212.23.225.98.25394 > x.y.z.z.1024: S 17264635:17264635(0) ack 17264634 win 4128 <mss 536> 21:39:56.095428 64.37.200.46.42959 > x.y.z.z.1024: S 21101218:21101218(0) ack 21101217 win 4128 <mss 536> 21:39:56.116955 209.249.97.40.53307 > x.y.z.z.1024: S 23688402:23688402(0) ack 23688401 win 4128 <mss 536> 21:39:56.137310 64.14.200.154.17962 > x.y.z.z.1024: S 21574057:21574057(0) ack 21574056 win 4128 <mss 536> 21:39:56.179842 216.35.167.58.43063 > x.y.z.z.1024: S 22896259:22896259(0) ack 22896258 win 4128 <mss 536> 21:39:56.234306 212.78.160.237.39914 > x.y.z.z.1024: S 17859326:17859326(0) ack 17859325 win 4128 <mss 536> 21:39:56.248796 194.205.125.26.48389 > x.y.z.z.1024: S 17290543:17290543(0) ack 17290542 win 4128 <mss 536> 21:39:56.260595 212.23.225.98.25394 > x.y.z.z.1024: S 17264635:17264635(0) ack 17264634 win 4128 <mss 536> 21:39:56.260815 194.213.64.150.54350 > x.y.z.z.1024: S 23560990:23560990(0) ack 23560989 win 4128 <mss 556> 21:39:57.216662 64.14.200.154.17999 > x.y.z.z.1024: S 21574094:21574094(0) ack 21574093 win 4128 <mss 536> 21:39:57.220339 208.184.162.71.49602 > x.y.z.z.1024: S 2491734:2491734(0) ack 2491733 win 4128 <mss 536> 21:39:57.241075 64.37.200.46.43005 > x.y.z.z.1024: S 21101264:21101264(0) ack 21101263 win 4128 <mss 536> 21:39:57.249837 216.35.167.58.43097 > x.y.z.z.1024: S 22896293:22896293(0) ack 22896292 win 4128 <mss 536> 21:39:57.282860 209.249.97.40.53344 > x.y.z.z.1024: S 23688439:23688439(0) ack 23688438 win 4128 <mss 536> 21:39:57.335616 212.78.160.237.39956 > x.y.z.z.1024: S 17859368:17859368(0) ack 17859367 win 4128 <mss 536> 21:39:57.344657 194.205.125.26.48419 > x.y.z.z.1024: S 17290573:17290573(0) ack 17290572 win 4128 <mss 536> 21:39:57.362725 212.23.225.98.25424 > x.y.z.z.1024: S 17264665:17264665(0) ack 17264664 win 4128 <mss 536> 21:39:57.372443 194.213.64.150.54383 > x.y.z.z.1024: S 23561023:23561023(0) ack 23561022 win 4128 <mss 556> 21:39:59.213528 64.14.200.154.17999 > x.y.z.z.1024: S 21574094:21574094(0) ack 21574093 win 4128 <mss 536> 21:39:59.215452 208.184.162.71.49602 > x.y.z.z.1024: S 2491734:2491734(0) ack 2491733 win 4128 <mss 536> 21:39:59.238813 64.37.200.46.43005 > x.y.z.z.1024: S 21101264:21101264(0) ack 21101263 win 4128 <mss 536> 21:39:59.248027 216.35.167.58.43097 > x.y.z.z.1024: S 22896293:22896293(0) ack 22896292 win 4128 <mss 536> 21:39:59.280923 209.249.97.40.53344 > x.y.z.z.1024: S 23688439:23688439(0) ack 23688438 win 4128 <mss 536> 21:39:59.333436 212.78.160.237.39956 > x.y.z.z.1024: S 17859368:17859368(0) ack 17859367 win 4128 <mss 536> 21:39:59.345544 194.205.125.26.48419 > x.y.z.z.1024: S 17290573:17290573(0) ack 17290572 win 4128 <mss 536> 21:39:59.360220 212.23.225.98.25424 > x.y.z.z.1024: S 17264665:17264665(0) ack 17264664 win 4128 <mss 536> 21:39:59.372001 194.213.64.150.54383 > x.y.z.z.1024: S 23561023:23561023(0) ack 23561022 win 4128 <mss 556> 21:40:01.150482 212.78.160.237.39992 > x.y.z.z.1024: S 17859404:17859404(0) ack 17859403 win 4128 <mss 536> 21:40:01.260910 64.37.200.46.43037 > x.y.z.z.1024: S 21101296:21101296(0) ack 21101295 win 4128 <mss 536> 21:40:01.274349 208.184.162.71.49624 > x.y.z.z.1024: S 2491756:2491756(0) ack 2491755 win 4128 <mss 536> 21:40:01.302855 209.249.97.40.53373 > x.y.z.z.1024: S 23688468:23688468(0) ack 23688467 win 4128 <mss 536> 21:40:03.150333 212.78.160.237.39992 > x.y.z.z.1024: S 17859404:17859404(0) ack 17859403 win 4128 <mss 536> 21:40:03.258953 64.37.200.46.43037 > x.y.z.z.1024: S 21101296:21101296(0) ack 21101295 win 4128 <mss 536> 21:40:03.270806 208.184.162.71.49624 > x.y.z.z.1024: S 2491756:2491756(0) ack 2491755 win 4128 <mss 536> 21:40:03.301726 209.249.97.40.53373 > x.y.z.z.1024: S 23688468:23688468(0) ack 23688467 win 4128 <mss 536> ----- Original Message ----- From: "Abe Getchell" <agetchel () KDE STATE KY US> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Monday, October 23, 2000 8:13 AM Subject: TCP connections to port 1024 - DDoS?Hey all, Has anybody seen some kind of odd DDoS attack in which a number of zombie machines try and open TCP connections to port 1024 on the target machine? Saw some of these coming in over the last week and this weekend, and I wanted to see if this is anything that I should be concerned about. There hasn't been enough traffic to kill the server or clog any pipes, but I'm concerned that there could be eventually... or that there's something else going on here that I'm not aware of! =O Thanks, Abe Abe L. Getchell - Security Engineer Division of System Support Services Kentucky Department of Education Voice 502-564-2020x225 E-mail agetchel () kde state ky us Web http://www.kde.state.ky.us/
Current thread:
- TCP connections to port 1024 - DDoS? Abe Getchell (Oct 24)
- Re: TCP connections to port 1024 - DDoS? Mike Lewinski (Oct 25)
- Re: TCP connections to port 1024 - DDoS? Corey Merchant (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Dave Dittrich (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Mike Lewinski (Oct 26)
- <Possible follow-ups>
- Re: TCP connections to port 1024 - DDoS? Abe Getchell (Oct 25)
- Re: TCP connections to port 1024 - DDoS? Turpin, Jason (Oct 25)
- Re: TCP connections to port 1024 - DDoS? Arrigo Triulzi (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Peter Gamache (Oct 27)
- Re: TCP connections to port 1024 - DDoS? Arrigo Triulzi (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Bowman, Kevin (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Turpin, Jason (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Dave Dittrich (Oct 27)
- Re: TCP connections to port 1024 - DDoS? Dave Dittrich (Oct 28)
- Re: TCP connections to port 1024 - DDoS? Mike Lewinski (Oct 25)