Security Incidents mailing list archives
Source port 63182???
From: "Portnoy, Gary" <gportnoy () belenosinc com>
Date: Tue, 22 May 2001 09:31:55 -0400
Greetings,
Below is the strange traffic captured by snort that greeted me this morning.
The destination is a silent host on my network. Actually, it's a host that
doesn't exist, so there is no way it could have generated any traffic.
Notice how the source port is the same (63182). What struck me a very
strange though is the ACK that's static through all 6 packets ( 0x2837683A),
even though they are from four different sources and the time spans almost 5
hours. The three 172. addresses belong to AOL, the fourth belongs to
SkyNetWeb (a colo). Am I seeing echos of a DoS? Isn't this a sort of
random list of targets? Any ideas?
--== Initialization Complete ==--
05/22-01:54:05.437220 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3C
172.138.117.142:63182 -> a.b.c.7:1836 TCP TTL:43 TOS:0x0 ID:29038 IpLen:20
DgmLen:40
***A*R** Seq: 0x0 Ack: 0x2837683A Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
05/22-03:02:21.371115 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3C
172.128.200.21:63182 -> a.b.c.7:1716 TCP TTL:43 TOS:0x0 ID:681 IpLen:20
DgmLen:40
***A*R** Seq: 0x0 Ack: 0x2837683A Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
05/22-03:53:12.785810 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3C
172.156.201.240:63182 -> a.b.c.7:2376 TCP TTL:43 TOS:0x0 ID:11052 IpLen:20
DgmLen:40
***A*R** Seq: 0x0 Ack: 0x2837683A Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
05/22-04:52:24.078204 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3C
64.23.48.195:63182 -> a.b.c.7:2248 TCP TTL:245 TOS:0x0 ID:58703 IpLen:20
DgmLen:40
***A*R** Seq: 0x0 Ack: 0x2837683A Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
05/22-05:25:46.706044 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3C
64.23.48.195:63182 ->a.b.c.7:2188 TCP TTL:245 TOS:0x0 ID:54041 IpLen:20
DgmLen:40
***A*R** Seq: 0x0 Ack: 0x2837683A Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
05/22-06:40:49.193896 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3C
64.23.48.195:63182 -> a.b.c.7:2428 TCP TTL:245 TOS:0x0 ID:59429 IpLen:20
DgmLen:40
***A*R** Seq: 0x0 Ack: 0x2837683A Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Gary Portnoy
Network Administrator
gportnoy () belenosinc com
PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C
Current thread:
- Source port 63182??? Portnoy, Gary (May 22)