Security Incidents mailing list archives
Re: TCP connections to port 1024 - DDoS?
From: Neil Long <neil.long () COMPUTING-SERVICES OXFORD AC UK>
Date: Tue, 24 Oct 2000 18:06:11 +0100
Hello I started logging these oddball packets back mid-August or so, usually the same smallish number of hosts and they are all unsolicited ACKs. Charting them by the hour shows spikes of varying periodicities. The target IPs are, as far as I can tell, all hosts which have made a DNS lookup i.e. they are not always DNS servers but some are and the others will have probably been running a caching named or are a firewall, etc. The majority of targets reply with a RST (some don't). At one point one of the remote 'sender' IPs did resolve 208.184.162.71 208.184.162.71.mirror-image.com If you go take a look at www.mirror-image.com you will see that they have a large number of servers spread around geographically and my guess is that this scanning pattern is working out best routes, responses, etc. As to how or why they are acquiring all these 'hosts which are running named of some type' raises a lot of questions the answers to which may be somewhat disturbing. I regard the packets as 'mostly harmless' but we all know where that can lead to. Neil
Current thread:
- Re: Interesting reply, (continued)
- Re: Interesting reply Mikael Gripenstedt (Oct 13)
- Re: Interesting reply H Carvey (Oct 13)
- Re: Interesting reply Keith Pachulski (Oct 16)
- Re: Interesting reply Rick Ballard (Oct 16)
- Re: Interesting reply Aj Effin ReznoR (Oct 24)
- Re: Interesting reply Rick Ballard (Oct 16)
- Re: Interesting reply Forrester, Mike (Oct 19)
- Re: Interesting reply Narins, Joshua (Oct 19)
- Re: Interesting reply Forrester, Mike (Oct 20)
- Re: Interesting reply Turpin, Jason (Oct 25)
- Re: Interesting reply Aj Effin ReznoR (Oct 25)
- Re: TCP connections to port 1024 - DDoS? Neil Long (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Arrigo Triulzi (Oct 27)