Security Incidents mailing list archives
RE: flood of SYN packets to port 110
From: "Moody, Chris" <cmoody () qualcomm com>
Date: Fri, 2 Jan 2004 10:57:41 -0800
What is your company's sec-policy on events such as this? I know that my employer "blackholes" (aka "set port disable x/y") any systems suspected of having a virus/trojan/intruder. I personally would knock their cable modem down and give them a call to talk to a local site admin for the system(s). Cheers, ~Chris My opinions are my own. -----Original Message----- From: Russell J. Lahti [mailto:russell () 911 net] Sent: Friday, January 02, 2004 5:57 AM To: incidents () securityfocus com Cc: Brian Collins Subject: Re: flood of SYN packets to port 110 Sounds like you have a few systems that some IRC kiddies are having fun with. They likely had weak admin passwords, or some other vuln. They have 113 open so that they can connect to IRC to be part of someone's bot-net. They then use the systems to do simple syn flooding to knock target systems of people they don't like offline. Closer inspection of the systems will probably show this to be the case. Hope this helps. -Russell Brian Collins wrote:
Sent this to the intrusions list, thought it would likely be
worthwhile
to post it here as well. We are an ISP with 8000+ cable modem customers. About an hour ago we had a NAT box start slowing down. Checking into that problem, we discovered at least three customer machines sending anywhere from 500
to
1000 packets per second to an IP apparently belonging to a Netherlands
cable modem ISP, namely 81.68.130.224, all destined for port 110, all SYN packets, length of 48 bytes. TCP sequence numbers change in what appears to be a normal fashion, source ports increment from 1025 on up
to just below 5000, then start back over. Two of the machines show as Win2k Pro to an nmap fingerprint. One showed up as a Tektronix printer, but nmap didn't get sufficient TCP responses so I'm discounting that for now. All 3 have port 113 open, which seems unusual. Two of these are in homes, one in a business. We're Googling for similar things now. Also wondering whether any of you have seen similar traffic, might have an idea what this is. I
have
placed a capture of just over 200,000 bytes of this to: http://mirror.newnanutilities.org/packetdump/. I'll post more packet captures later if it seems helpful. Thanks, --Brian Collins SysAdmin/NetAdmin/Security Person Newnan Utilities
------------------------------------------------------------------------ ---
------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: flood of SYN packets to port 110 Russell J. Lahti (Jan 02)
- <Possible follow-ups>
- RE: flood of SYN packets to port 110 Moody, Chris (Jan 05)