Security Incidents mailing list archives

Re: client's TCP port 256 hammered by several hosts- solved!!

From: gerry <gerry () tituspcservice com>
Date: 10 Nov 2003 16:21:59 -0000

In-Reply-To: <20031107182045.3029.qmail () sf-www1-symnsj securityfocus com>

thanks to the suggestions and help of this mailing list (esp. Chris B.), we have solved the mystery of the excess 
traffic.
using netcat (to listen for a connection to port 256) and fport (to identify sender's application), we found Norton CE 
(server and clients) to be looking for a non-existant quarantine server. we've had norton for over three years and why 
the application suddenly started sending excessive traffic is unknown.
thanks again everyone for responding.

gerry

Mailing-List: contact incidents-help () securityfocus com; run by ezmlm
Precedence: bulk
Date: 7 Nov 2003 18:20:45 -0000
Message-ID: <20031107182045.3029.qmail () sf-www1-symnsj securityfocus com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: gerry <gerry () tituspcservice com>
To: incidents () securityfocus com
Subject: client's TCP port 256 hammered by several hosts



suddenly, one of our lan client (win2k novell client) machine's tpc port 256 is being flooded with packets from other 
lan pcs and our netware (5.1) server.
anyone have an idea what would cause this or, better yet, how to eliminate all the excess traffic.

11/04-08:31:14.843754 192.168.x.x:2056 -> 192.168.x.x:256
TCP TTL:128 TOS:0x0 ID:10634 IpLen:20 DgmLen:48 DF
******S* Seq: 0x1E6E9152  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11/04-08:31:14.843779 192.168.x.x:256 -> 192.168.x.x:2056
TCP TTL:128 TOS:0x0 ID:62405 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x1E6E9153  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11/04-08:31:15.344013 192.168.x.x:2056 -> 192.168.x.x:256
TCP TTL:128 TOS:0x0 ID:11146 IpLen:20 DgmLen:48 DF
******S* Seq: 0x1E6E9152  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

thanks in advance,
g

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------

Current thread:

Re: client's TCP port 256 hammered by several hosts- solved!! gerry (Nov 10)