Security Incidents mailing list archives
Re: Ideas? Port 21 SYNs, slow
From: Jason Giglio <jgiglio () netmar com>
Date: Thu, 11 Jul 2002 18:15:17 -0400
You are probably seeing backscatter from a DDoS attack. Someone is probably spoofing your address as the source of the attack, among a lot of others. That also explains why the server went down eventually. Also the controversial political nature of the site would make it a target of attack. Just my guess. On 11 Jul 2002 02:41:08 -0000 Bubsy <pizzapowered () yahoo com> wrote:
I would like to pick your collective brains
regarding what I believe is an attack of some form,
even if it is very slow. I noticed a day and a half
worth of continuous port 21 SYNs. Because there were
never any completed connections, this would not show up
in the FTP logs, but I watch all traffic, maybe I need
a life :) . I noticed an unusual amount of FTP port
SYNs that I was acknowledging, which were being
ignored. One or more SYNs would come in at about the
same time, to which I would respond with three
acknowledgements per SYN and then quit. Many of these
incoming SYNs had the same checksum. Strange, maybe
forgery?
65.222.227.193 was the IP of the first FTP SYN
attempts, I portscanned that IP and found a webserver
(reverse DNS to deadarab.com) which was selling
anti-Osama goodies and other things. I also found
PcAnywhere, LDAP and many other things, and the FTP
SYNs continued. I later rescanned the same IP and found
that the services were taken down. No conceivable valid
WHOIS contact info, no surprise. More strangeness.
I said to myself "Hey me, is this a DDos or is this
meant for me?"? I assumed this was intended for me
because of the disappearing services on the initial
offending IP. I blocked 65.222.227.* and watched. Then
came SYNs from 65.222.225.3. I allowed a few to be
acknowledged and dumped them to compare to the first
ones.
From 65.222.227.193
0x0000 00 10 DC 03 90 70 00 04-5A EE 19 15 08 00 45
08 ..Ü.p..Zî....E.
0x0010 00 28 A1 CE 00 00 F3 06-3D D3 41 DE E3 C1 C0
A8 .(¡Î..ó.=ÓAÞãÁÀ¨
0x0020 01 DE 27 3B 00 15 17 A0-00 00 00 00 00 00 50
02 .Þ';... ......P.
0x0030 FF FF 88 CC 00 00 88 88-88 88 88 88 88 88 88
88 ÿÿÌ..
new one from 65.222.225.3
0x0000 00 10 DC 03 90 70 00 04-5A EE 19 15 08 00 45
08 ..Ü.p..Zî....E.
0x0010 00 28 CA 6B 00 00 F3 06-17 F4 41 DE E1 03 C0
A8 .(Êk..ó..ôAÞá.À¨
0x0020 01 DE 48 00 00 15 03 92-00 00 00 00 00 00 50
02 .ÞH..........P.
0x0030 FF FF 7E D3 00 00 88 88-88 88 88 88 88 88 88
88 ÿÿ~Ó..
Hmm. Oh yes I am 127.0.0.1 :) of course. Now with
65.222.225.* blocked, I decided to WHOIS them, and I
got the idea that some admin or network guy had too
much time on his (or her, I'm not sexist) hands.
ipw: Query: !NETBLK-UU-65-222-224
DIOS / Maryland Online Network (NETBLK-UU-65-222-224)
3234 Eastern Avenue
Baltimore, MD 21224
US
Netname: UU-65-222-224
Netblock: 65.222.224.0 - 65.222.239.255
Maintainer: DIOS
Coordinator:
Kluver, Robert (RK933-ARIN) admin () mdonline net
410-558-0320
In the next hour, similar stuff came from these IPs.
65.222.225.3
65.222.224.2
65.207.91.38
65.222.227.1
65.222.227.58
65.222.227.193
65.222.227.255 (yeah, nice IP there) and
212.169.100.130
The two odd ones come to:
ipw: Query: net 65.207.91.38
UUNET Technologies, Inc. (NETBLK-UUNET65)
3060 Williams Drive, Suite 601
Fairfax, VA 22031
US
Netname: UUNET65
Netblock: 65.192.0.0 - 65.223.255.255
Maintainer: UU
and
ipw: Query: 212.169.100.130
inetnum: 212.169.100.0 - 212.169.100.255
netname: NO-NETCOM-CUST-NEXTFRAME
descr: Customer Net for Nextframe AS
country: NO
admin-c: MH20735-RIPE
tech-c: NGH3-RIPE
status: ASSIGNED PA
which rev. DNSs to cursed.darkisp.net, which has a
website which looks to me like a typical shell etc.
machine, which makes sense if the guy (or gal) has a
shell and wanted to see if I blocked his nets. The last
set of whatever this was came as a group attempt, which
I logged in an attempt to spot a pattern. I'm including
an excerpt from my log to see if anyone has any ideas
on what this might be. If anyone has any ideas, I would
be curious to hear them. Whatever this is appears to be
designed to defeat traditional logs by not actually
completing a connection, and by being slow enough as to
not establish a tangible pattern. I also assume that
the packets were not redirected, because shortly after
I would block one IP, a new IP would start in, makes
sense if the recipient saw the acks stop. I included
the tail end of the log, all "attacks" ended at the
endtime of my log. Thanks for your ideas people!
#Fields: date time action protocol src-ip dst-ip
src-port dst-port size tcpflags tcpsyn tcpack tcpwin
icmptype icmpcode info
2002-07-09 14:34:43 DROP TCP 127.0.0.1 65.222.225.3 21
4180 40 A 4110057646 381616129 16616 - - -
2002-07-09 14:36:23 DROP TCP 127.0.0.1 65.222.224.2 21
20236 40 A 4134902085 3394306049 16616 - - -
2002-07-09 14:37:16 DROP TCP 127.0.0.1 65.222.225.3 21
41990 40 A 4148384846 2762276865 16616 - - -
2002-07-09 14:39:49 DROP TCP 127.0.0.1 65.222.225.3 21
65232 40 A 4186694867 1689255937 16616 - - -
2002-07-09 14:42:23 DROP TCP 127.0.0.1 65.222.225.3 21
5443 40 A 4225090877 2587623425 16616 - - -
2002-07-09 14:44:56 DROP TCP 127.0.0.1 65.222.225.3 21
20112 40 A 4263412809 56098817 16616 - - -
2002-07-09 14:47:29 DROP TCP 127.0.0.1 65.222.225.3 21
57345 40 A 6764770 2667642881 16616 - - -
2002-07-09 15:07:56 DROP TCP 127.0.0.1 65.222.225.3 21
59280 40 A 313933308 2912026625 16616 - - -
2002-07-09 15:10:30 DROP TCP 127.0.0.1 65.222.225.3 21
11686 40 A 352234325 1913913345 16616 - - -
2002-07-09 15:14:16 DROP TCP 127.0.0.1 65.222.225.3 21
3327 40 A 408857607 3624730625 16616 - - -
2002-07-09 15:14:45 DROP TCP 127.0.0.1 65.207.91.38 21
65376 40 A 416115621 619642881 16616 - - -
2002-07-09 15:18:06 DROP TCP 127.0.0.1 65.222.225.3 21
26290 40 A 466441213 2279211009 16616 - - -
2002-07-09 15:23:49 DROP TCP 127.0.0.1 65.222.227.1 21
4956 40 A 552137575 1170931713 16616 - - -
2002-07-09 15:24:29 DROP TCP 127.0.0.1 65.222.227.58 21
16132 40 A 562152023 2356543489 16616 - - -
2002-07-09 15:25:28 DROP TCP 127.0.0.1 65.222.227.193
21 34760 40 A 576941514 3932422145 16616 - - -
2002-07-09 15:27:39 DROP TCP 127.0.0.1 65.222.227.1 21
25326 40 A 609659434 4036886529 16616 - - -
2002-07-09 15:28:19 DROP TCP 127.0.0.1 65.222.227.58 21
64399 40 A 619689148 4258922497 16616 - - -
2002-07-09 15:29:18 DROP TCP 127.0.0.1 65.222.227.193
21 50111 40 A 634455459 2386165761 16616 - - -
2002-07-09 15:31:29 DROP TCP 127.0.0.1 65.222.227.1 21
26659 40 A 667182451 804323329 16616 - - -
2002-07-09 15:32:09 DROP TCP 127.0.0.1 65.222.227.58 21
60889 40 A 677316192 4153802753 16616 - - -
2002-07-09 15:33:07 DROP TCP 127.0.0.1 65.222.227.193
21 25896 40 A 691866866 3945267201 16616 - - -
2002-07-09 15:35:19 DROP TCP 127.0.0.1 65.222.227.1 21
8308 40 A 724771123 1846280193 16616 - - -
2002-07-09 15:35:59 DROP TCP 127.0.0.1 65.222.227.58 21
11133 40 A 734953939 2234843137 16616 - - -
2002-07-09 15:36:57 DROP TCP 127.0.0.1 65.222.227.193
21 59740 40 A 749290458 75169793 16616 - - -
2002-07-09 15:39:08 DROP TCP 127.0.0.1 65.222.227.1 21
48063 40 A 782099076 732954625 16616 - - -
2002-07-09 15:39:49 DROP TCP 127.0.0.1 65.222.227.58 21
36191 40 A 792386019 2452226049 16616 - - -
2002-07-09 15:40:46 DROP TCP 127.0.0.1 65.222.227.193
21 55307 40 A 806776048 3227779073 16616 - - -
2002-07-09 15:42:59 DROP TCP 127.0.0.1 65.222.227.1 21
40638 40 A 839891034 3176071169 16616 - - -
2002-07-09 15:43:39 DROP TCP 127.0.0.1 65.222.227.58 21
1761 40 A 850012211 2602893313 16616 - - -
2002-07-09 15:44:36 DROP TCP 127.0.0.1 65.222.227.193
21 19276 40 A 864273794 731185153 16616 - - -
2002-07-09 15:47:24 DROP TCP 127.0.0.1 65.222.227.1 21
65154 40 A 906143613 659161089 16616 - - -
2002-07-09 15:48:16 DROP TCP 127.0.0.1 65.222.227.58 21
5601 40 A 919156152 3022585857 16616 - - -
2002-07-09 15:49:32 DROP TCP 127.0.0.1 65.222.227.193
21 37316 40 A 938220005 893845505 16616 - - -
2002-07-09 15:50:38 DROP TCP 127.0.0.1 65.222.227.255
21 59731 40 A 954865216 3894345729 16616 - - -
2002-07-09 15:52:31 DROP TCP 127.0.0.1 65.222.227.1 21
59503 40 A 983194631 2775973889 16616 - - -
2002-07-09 15:53:20 DROP TCP 127.0.0.1 65.222.227.58 21
19743 40 A 995403697 896466945 16616 - - -
2002-07-09 15:54:38 DROP TCP 127.0.0.1 65.222.227.193
21 16729 40 A 1014842293 3790274561 16616 - - -
2002-07-09 15:55:44 DROP TCP 127.0.0.1 65.222.227.255
21 28979 40 A 1031448608 830930945 16616 - - -
2002-07-09 15:57:38 DROP TCP 127.0.0.1 65.222.227.1 21
7554 40 A 1059961455 3073376257 16616 - - -
2002-07-09 15:58:28 DROP TCP 127.0.0.1 65.222.227.58 21
10239 40 A 1072298522 1625358337 16616 - - -
2002-07-09 15:59:44 DROP TCP 127.0.0.1 65.222.227.193
21 40606 40 A 1091370715 1573912577 16616 - - -
2002-07-09 16:00:49 DROP TCP 127.0.0.1 65.222.227.255
21 24397 40 A 1107641688 2339176449 16616 - - -
2002-07-09 16:02:46 DROP TCP 127.0.0.1 65.222.227.1 21
4631 40 A 1137074499 1547239425 16616 - - -
2002-07-09 16:03:35 DROP TCP 127.0.0.1 65.222.227.58 21
24265 40 A 1149237606 2326331393 16616 - - -
2002-07-09 16:04:50 DROP TCP 127.0.0.1 65.222.227.193
21 46334 40 A 1167975572 1481703425 16616 - - -
2002-07-09 16:05:54 DROP TCP 127.0.0.1 65.222.227.255
21 43932 40 A 1184125492 2120286209 16616 - - -
2002-07-09 16:07:54 DROP TCP 127.0.0.1 65.222.227.1 21
18067 40 A 1213983467 2356871169 16616 - - -
2002-07-09 16:08:43 DROP TCP 127.0.0.1 65.222.227.58 21
25766 40 A 1226378215 3776249857 16616 - - -
2002-07-09 16:09:54 DROP TCP 127.0.0.1 65.222.227.193
21 34759 40 A 1244087238 1134624769 16616 - - -
2002-07-09 16:11:00 DROP TCP 127.0.0.1 65.222.227.255
21 32819 40 A 1260652350 1536950273 16616 - - -
2002-07-09 16:12:59 DROP TCP 127.0.0.1 65.222.227.1 21
30896 40 A 1290440103 57933825 16616 - - -
2002-07-09 16:13:50 DROP TCP 127.0.0.1 65.222.227.58 21
27243 40 A 1303242109 1163526145 16616 - - -
2002-07-09 16:15:01 DROP TCP 127.0.0.1 65.222.227.193
21 4791 40 A 1321009627 51183617 16616 - - -
2002-07-09 16:16:07 DROP TCP 127.0.0.1 65.222.227.255
21 16114 40 A 1337329759 1207566337 16616 - - -
2002-07-09 16:18:05 DROP TCP 127.0.0.1 65.222.227.1 21
60937 40 A 1367027709 2753101825 16616 - - -
2002-07-09 16:18:57 DROP TCP 127.0.0.1 65.222.227.58 21
7945 40 A 1379977654 1515520001 16616 - - -
2002-07-09 16:20:08 DROP TCP 127.0.0.1 65.222.227.193
21 58487 40 A 1397713040 1683357697 16616 - - -
2002-07-09 16:21:13 DROP TCP 127.0.0.1 65.222.227.255
21 7852 40 A 1414079077 1374027777 16616 - - -
2002-07-09 16:23:13 DROP TCP 127.0.0.1 65.222.227.1 21
31829 40 A 1444010446 1832910849 16616 - - -
2002-07-09 16:24:03 DROP TCP 127.0.0.1 65.222.227.58 21
42134 40 A 1456597809 2370043905 16616 - - -
2002-07-09 16:25:15 DROP TCP 127.0.0.1 65.222.227.193
21 48191 40 A 1474677036 1793261569 16616 - - -
2002-07-09 16:26:19 DROP TCP 127.0.0.1 65.222.227.255
21 18985 40 A 1490531613 4274192385 16616 - - -
2002-07-09 16:28:20 DROP TCP 127.0.0.1 65.222.227.1 21
58435 40 A 1520806308 628293633 16616 - - -
2002-07-09 16:29:09 DROP TCP 127.0.0.1 65.222.227.58 21
33063 40 A 1533094769 587792385 16616 - - -
2002-07-09 16:30:22 DROP TCP 127.0.0.1 65.222.227.193
21 34872 40 A 1551511862 3294625793 16616 - - -
2002-07-09 16:31:24 DROP TCP 127.0.0.1 65.222.227.255
21 55246 40 A 1566882639 2254635009 16616 - - -
2002-07-09 16:33:26 DROP TCP 127.0.0.1 65.222.227.1 21
282 40 A 1597492247 2361720833 16616 - - -
2002-07-09 16:34:15 DROP TCP 127.0.0.1 65.222.227.58 21
8368 40 A 1609821078 2197422081 16616 - - -
2002-07-09 16:35:30 DROP TCP 127.0.0.1 65.222.227.193
21 22093 40 A 1628558895 2873360385 16616 - - -
2002-07-09 16:36:29 DROP TCP 127.0.0.1 65.222.227.255
21 21506 40 A 1643280221 723320833 16616 - - -
2002-07-09 16:38:32 DROP TCP 127.0.0.1 65.222.227.1 21
49495 40 A 1673999831 1337917441 16616 - - -
2002-07-09 16:39:23 DROP TCP 127.0.0.1 65.222.227.58 21
2630 40 A 1686805847 2673868801 16616 - - -
2002-07-09 16:40:38 DROP TCP 127.0.0.1 65.222.227.193
21 47099 40 A 1705561276 1971650561 16616 - - -
2002-07-09 16:41:34 DROP TCP 127.0.0.1 65.222.227.255
21 12541 40 A 1719788892 3247374337 16616 - - -
2002-07-09 16:43:39 DROP TCP 127.0.0.1 65.222.227.1 21
20892 40 A 1750849323 4029939713 16616 - - -
2002-07-09 16:44:28 DROP TCP 127.0.0.1 65.222.227.58 21
56619 40 A 1763300043 62849025 16616 - - -
2002-07-09 16:45:45 DROP TCP 127.0.0.1 65.222.227.193
21 53663 40 A 1782386724 3809280001 16616 - - -
2002-07-09 16:46:40 DROP TCP 127.0.0.1 65.222.227.255
21 44093 40 A 1796280647 1961426945 16616 - - -
2002-07-09 16:48:45 DROP TCP 127.0.0.1 65.222.227.1 21
43060 40 A 1827539914 3206152193 16616 - - -
2002-07-09 16:49:35 DROP TCP 127.0.0.1 65.222.227.58 21
40576 40 A 1840015350 2806906881 16616 - - -
2002-07-09 16:50:52 DROP TCP 127.0.0.1 65.222.227.193
21 38179 40 A 1859204304 2213150721 16616 - - -
2002-07-09 16:51:46 DROP TCP 127.0.0.1 65.222.227.255
21 14921 40 A 1872870200 1129709569 16616 - - -
2002-07-09 16:53:51 DROP TCP 127.0.0.1 65.222.227.1 21
31818 40 A 1904111567 1253048321 16616 - - -
2002-07-09 16:54:42 DROP TCP 127.0.0.1 65.222.227.58 21
50804 40 A 1916875803 2446655489 16616 - - -
2002-07-09 16:55:59 DROP TCP 127.0.0.1 65.222.227.193
21 331 40 A 1936045330 1610153985 16616 - - -
2002-07-09 16:56:53 DROP TCP 127.0.0.1 65.222.227.255
21 22664 40 A 1949656360 1375797249 16616 - - -
2002-07-09 16:58:58 DROP TCP 127.0.0.1 65.222.227.1 21
53434 40 A 1980967895 720175105 16616 - - -
2002-07-09 16:59:48 DROP TCP 127.0.0.1 65.222.227.58 21
16960 40 A 1993475934 622592001 16616 - - -
2002-07-09 17:01:06 DROP TCP 127.0.0.1 65.222.227.193
21 30064 40 A 2012899853 3771072513 16616 - - -
2002-07-09 17:01:58 DROP TCP 127.0.0.1 65.222.227.255
21 14187 40 A 2025993664 1508900865 16616 - - -
2002-07-09 17:04:05 DROP TCP 127.0.0.1 65.222.227.1 21
43269 40 A 2057678046 2351104001 16616 - - -
2002-07-09 17:04:55 DROP TCP 127.0.0.1 65.222.227.58 21
62018 40 A 2070227715 157810689 16616 - - -
2002-07-09 17:06:12 DROP TCP 127.0.0.1 65.222.227.193
21 60323 40 A 2089456089 2509635585 16616 - - -
2002-07-09 17:07:04 DROP TCP 127.0.0.1 65.222.227.255
21 38491 40 A 2102571253 3855876097 16616 - - -
2002-07-09 17:09:11 DROP TCP 127.0.0.1 65.222.227.1 21
6494 40 A 2134375022 3345350657 16616 - - -
2002-07-09 17:10:02 DROP TCP 127.0.0.1 65.222.227.58 21
25453 40 A 2147059546 226361345 16616 - - -
2002-07-09 17:11:18 DROP TCP 127.0.0.1 65.222.227.193
21 1746 40 A 2166074335 1824260097 16616 - - -
2002-07-09 17:12:11 DROP TCP 127.0.0.1 65.222.227.255
21 11900 40 A 2179429687 2000224257 16616 - - -
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Ideas? Port 21 SYNs, slow Bubsy (Jul 11)
- Re: Ideas? Port 21 SYNs, slow Jason Giglio (Jul 11)
- Re: Ideas? Port 21 SYNs, slow Michael H. Warfield (Jul 12)
- <Possible follow-ups>
- Re: Ideas? Port 21 SYNs, slow Bubsy (Jul 13)
- Re: Ideas? Port 21 SYNs, slow Buddy Nahay (Jul 15)
- Re: Ideas? Port 21 SYNs, slow Jason Giglio (Jul 11)