RE: flood of SYN packets to port 110

["Moody, Chris" <cmoody () qualcomm com>]

What is your company's sec-policy on events such as this?  I know that
my employer "blackholes" (aka "set port disable x/y") any systems
suspected of having a virus/trojan/intruder.

I personally would knock their cable modem down and give them a call to
talk to a local site admin for the system(s).

Cheers,
~Chris

My opinions are my own.

-----Original Message-----
From: Russell J. Lahti [mailto:russell () 911 net] 
Sent: Friday, January 02, 2004 5:57 AM
To: incidents () securityfocus com
Cc: Brian Collins
Subject: Re: flood of SYN packets to port 110

Sounds like you have a few systems that some IRC kiddies
are having fun with.  They likely had weak admin passwords,
or some other vuln.  They have 113 open so that they can
connect to IRC to be part of someone's bot-net.  They then
use the systems to do simple syn flooding to knock target
systems of people they don't like offline.  Closer
inspection of the systems will probably show this to be
the case.

Hope this helps.

-Russell

Brian Collins wrote:

> Sent this to the intrusions list, thought it would likely be
worthwhile 
> to post it here as well.
>
> We are an ISP with 8000+ cable modem customers.  About an hour ago we 
> had a NAT box start slowing down.  Checking into that problem, we 
> discovered at least three customer machines sending anywhere from 500
to 
> 1000 packets per second to an IP apparently belonging to a Netherlands

> cable modem ISP, namely 81.68.130.224, all destined for port 110, all 
> SYN packets, length of 48 bytes.  TCP sequence numbers change in what 
> appears to be a normal fashion, source ports increment from 1025 on up

> to just below 5000, then start back over.
>
> Two of the machines show as Win2k Pro to an nmap fingerprint.  One 
> showed up as a Tektronix printer, but nmap didn't get sufficient TCP 
> responses so I'm discounting that for now.  All 3 have port 113 open, 
> which seems unusual.  Two of these are in homes, one in a business.
>
> We're Googling for similar things now.  Also wondering whether any of 
> you have seen similar traffic, might have an idea what this is.  I
have 
> placed a capture of just over 200,000 bytes of this to:
> http://mirror.newnanutilities.org/packetdump/.  I'll post more packet 
> captures later if it seems helpful.
>
> Thanks,
> --Brian Collins
> SysAdmin/NetAdmin/Security Person
> Newnan Utilities
------------------------------------------------------------------------
---
>
------------------------------------------------------------------------
---- 



------------------------------------------------------------------------
---
------------------------------------------------------------------------
----




---------------------------------------------------------------------------
----------------------------------------------------------------------------