Security Incidents mailing list archives
Strange Traffic from 213.8.52.189
From: "Mendoza, Luis" <luis.mendoza () ATTLA COM>
Date: Fri, 23 Feb 2001 17:24:44 -0500
Hi Everybody,
I captured the following traffic against my dns server. The behavior is
similar to an attack (differents ports, and the 04 line attempt delude to my
FW, but I am not very sure I had revised the SANS documents but the behavior
is different.
Is this a new attack?
Best Regards
Luis Mendoza
No. Time Source Destination Protocol
Info
1 15:28:35.8826 213.8.52.189 a.b.c.38 UDP
Source port: 13570 Destination port: 37852
2 15:28:35.8826 213.8.52.189 a.b.c.38 ICMP Echo
(ping) request
3 15:28:35.8837 a.b.c.38 213.8.52.189 ICMP Echo
(ping) reply
4 15:28:35.8849 213.8.52.189 a.b.c.38 TCP 80 >
55305 [ACK] Seq=991 Ack=0 Win=1024 Len=0
5 15:28:35.8849 213.8.52.189 a.b.c.38 TCP
13568 > 55305 [SYN] Seq=921652387 Ack=0 Win=1024 Len=0
6 15:28:40.8681 213.8.52.189 a.b.c.38 TCP
13568 > 55305 [RST] Seq=921652388 Ack=0 Win=1024 Len=0
7 15:28:40.8686 213.8.52.189 a.b.c.38 UDP
Source port: 13570 Destination port: 37852
8 15:28:40.8767 213.8.52.189 a.b.c.38 ICMP Echo
(ping) request
9 15:28:40.8770 213.8.52.189 a.b.c.38 TCP 80 >
55305 [ACK] Seq=1003 Ack=0 Win=1024 Len=0
10 15:28:40.8770 a.b.c.38 213.8.52.189 ICMP Echo
(ping) reply
11 15:28:40.8794 213.8.52.189 a.b.c.38 TCP
13568 > 55305 [SYN] Seq=922902387 Ack=0 Win=1024 Len=0
12 15:28:46.0294 213.8.52.189 a.b.c.38 TCP
13568 > 55305 [RST] Seq=922902388 Ack=0 Win=1024 Len=0
13 15:28:46.0326 213.8.52.189 a.b.c.38 TCP
13568 > 55305 [RST] Seq=922902388 Ack=0 Win=1024 Len=0
14 02:46:35.4154 a.b.c.38 213.8.52.189 DNS
Standard query A www.othernetwork.com
15 02:46:38.4153 a.b.c.38 213.8.52.189 DNS
Standard query A www.othernetwork.com
16 02:46:39.1065 213.8.52.189 a.b.c.38 DNS
Standard query response A 194.90.241.51 A 192.114.177.51
Current thread:
- Strange Traffic from 213.8.52.189 Mendoza, Luis (Feb 24)