Security Incidents mailing list archives
Source port 63182???
From: "Portnoy, Gary" <gportnoy () belenosinc com>
Date: Tue, 22 May 2001 09:31:55 -0400
Greetings, Below is the strange traffic captured by snort that greeted me this morning. The destination is a silent host on my network. Actually, it's a host that doesn't exist, so there is no way it could have generated any traffic. Notice how the source port is the same (63182). What struck me a very strange though is the ACK that's static through all 6 packets ( 0x2837683A), even though they are from four different sources and the time spans almost 5 hours. The three 172. addresses belong to AOL, the fourth belongs to SkyNetWeb (a colo). Am I seeing echos of a DoS? Isn't this a sort of random list of targets? Any ideas? --== Initialization Complete ==-- 05/22-01:54:05.437220 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3C 172.138.117.142:63182 -> a.b.c.7:1836 TCP TTL:43 TOS:0x0 ID:29038 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x2837683A Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/22-03:02:21.371115 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3C 172.128.200.21:63182 -> a.b.c.7:1716 TCP TTL:43 TOS:0x0 ID:681 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x2837683A Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/22-03:53:12.785810 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3C 172.156.201.240:63182 -> a.b.c.7:2376 TCP TTL:43 TOS:0x0 ID:11052 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x2837683A Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/22-04:52:24.078204 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3C 64.23.48.195:63182 -> a.b.c.7:2248 TCP TTL:245 TOS:0x0 ID:58703 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x2837683A Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/22-05:25:46.706044 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3C 64.23.48.195:63182 ->a.b.c.7:2188 TCP TTL:245 TOS:0x0 ID:54041 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x2837683A Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/22-06:40:49.193896 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3C 64.23.48.195:63182 -> a.b.c.7:2428 TCP TTL:245 TOS:0x0 ID:59429 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x2837683A Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Gary Portnoy Network Administrator gportnoy () belenosinc com PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C
Current thread:
- Source port 63182??? Portnoy, Gary (May 22)