Re: Port 0 packets
From: Dave Paris (dparis_at_w3works.com)
Date: 07/24/03
- Previous message: Richard Johnson: "Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
- In reply to: Russell Fulton: "Re: Port 0 packets"
- Next in thread: Andreas Östling: "Re: Port 0 packets"
- Reply: Andreas Östling: "Re: Port 0 packets"
- Reply: Toby Miller: "RE: Port 0 packets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Jul 2003 16:04:49 -0400 To: Russell Fulton <r.fulton@auckland.ac.nz>
Our IDS spotted another TCP port 0 packet at 19:59pm UTC today
(Thursday). Headers follow:
[**] (snort_decoder): T/TCP Detected [**]
07/24-19:59:51.308749 216.136.173.246:0 -> xxx.xxx.xxx.xxx:0
TCP TTL:55 TOS:0x0 ID:41202 IpLen:20 DgmLen:68 DF
******S* Seq: 0x73C13DA0 Ack: 0x0 Win: 0xFFFF TcpLen: 48
TCP Options (9) => MSS: 1460 NOP WS: 1 NOP NOP TS: 15026415 0
TCP Options => NOP NOP CCNEW: 248555
Kind Regards,
-dsp
On Wednesday, Jul 23, 2003, at 16:38 US/Eastern, Russell Fulton wrote:
> On Wed, 2003-07-23 at 12:28, Stuart wrote:
>> Hi,
>>
>> After currently reviewing firewall logs from ISA server I have come
>> across a period of where the box was hit with an aprox. average of 3
>> - 4
>> packets per 5 minute period for 8 hours.
>
> Over the last few day sort has been complaining about packets on TCP 0
> to an address in our network. I finally got to investigate it
> yesterday.
>
> The packets were coming from two IP addresses in China and were tcp
> with
> RST+ACK flags set. I then used our argus <www.qosient.com> logs to
> examine all the traffic between the addresses. It turned out that that
> there was a flood of incoming packets with random source and
> destination
> ports. So snort was triggering on a tiny proportion of the total
> packets.
>
> I concluded that this was fallout from a DOS attack on the two Chinese
> machines in which our address had been spoofed.
>
> Give the frequency of your packets and the likelihood that you would
> have noticed if there was other traffic from the source this probably
> is
> not the same scenario. One thing that would help us work out possible
> causes is some more details about the packets -- TCP or UDP, flags etc.
>
> --
> Russell Fulton, Network Security Officer, The University of Auckland,
> New Zealand.
>
>
> -----------------------------------------------------------------------
> ----
> -----------------------------------------------------------------------
> -----
>
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Richard Johnson: "Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
- In reply to: Russell Fulton: "Re: Port 0 packets"
- Next in thread: Andreas Östling: "Re: Port 0 packets"
- Reply: Andreas Östling: "Re: Port 0 packets"
- Reply: Toby Miller: "RE: Port 0 packets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
