Re: DoS attacks using ports 31800, 31900 ?

["Deapesh Misra" <deapesh () gmail com>]

On 2/2/07, David Gillett <gillettdavid () fhda edu> wrote:
>   A certain amount of the packets that arrive at our gateway
> are blowback, remote hosts responding to traffic where an
> address in our block was forged as the source.  These are
> most often ICMP Port Unreachables generated by UDP Windows
> Messenger spam, with SYN-ACKs from port 80 running a distant
> second.
>
>   Within the last 24-48 hours, I've noticed something new:
> significant numbers of SYN-ACKs from port 31800, and a
> smaller number from 31900, from less than a dozen addresses
> scattered around the Internet.  None of those addresses has
> yet resolved via rDNS.

<SNIP>

>   IP Address    Port            Count
>
> 60.31.208.10    31800           3100
> 60.190.108.57   31800           3500
> 60.191.0.2              31800           26      late start
> 61.142.160.181  31800           4200
> 124.243.201.171 31800           3100
> 125.64.16.79    31800           4500
<SNIP>

> David Gillett

It is interesting to note that all these IP addresses are located in
the same country -China.

If you look at the port report for port 31900 from ISC SANS, it shows
a peak in the same date range you saw this happen:
http://isc.sans.org/port.html?port=31900

_____________________________
-Deapesh Misra