RE: Port 0 packets

• Previous message: Giles Coochey: "Re: First time security issue."
• In reply to: Toby Miller: "RE: Port 0 packets"
• Next in thread: Dave Paris: "Re: Port 0 packets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Toby Miller'" <toby_miller@adelphia.net>, "'Dave Paris'" <dparis@w3works.com>, "'Russell Fulton'" <r.fulton@auckland.ac.nz>
Date: Sat, 26 Jul 2003 02:26:43 +0100

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did install snort but the box has been rebuilt since, ISA is what
is running on it at the moment. So if snort can have problems no
doubt ISA will :)
They're quiet irritating as there's nothing I can find in packet
captures that's causing them to come in :S

Stu

- -----Original Message-----
From: Toby Miller [mailto:toby_miller@adelphia.net]
Sent: 26 July 2003 02:18
To: Dave Paris; Russell Fulton
Cc: Stuart; incidents@securityfocus.com
Subject: RE: Port 0 packets

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We have been seeing these port 0 packets since we installed
snort-2.0.0. At first we thought we had been missing something but
further investigation revealed that snort was not reading the packets
correctly.

                                                                                Toby

- - -----Original Message-----
From: Dave Paris [mailto:dparis@w3works.com]
Sent: Thursday, July 24, 2003 4:05 PM
To: Russell Fulton
Cc: Stuart; incidents@securityfocus.com
Subject: Re: Port 0 packets

Our IDS spotted another TCP port 0 packet at 19:59pm UTC today
(Thursday). Headers follow:

[**] (snort_decoder): T/TCP Detected [**]
07/24-19:59:51.308749 216.136.173.246:0 -> xxx.xxx.xxx.xxx:0
TCP TTL:55 TOS:0x0 ID:41202 IpLen:20 DgmLen:68 DF
******S* Seq: 0x73C13DA0 Ack: 0x0 Win: 0xFFFF TcpLen: 48
TCP Options (9) => MSS: 1460 NOP WS: 1 NOP NOP TS: 15026415 0
TCP Options => NOP NOP CCNEW: 248555

Kind Regards,
- - -dsp

On Wednesday, Jul 23, 2003, at 16:38 US/Eastern, Russell Fulton
wrote:

> On Wed, 2003-07-23 at 12:28, Stuart wrote:
>> Hi,
>>
>> After currently reviewing firewall logs from ISA server I have
>> come across a period of where the box was hit with an aprox.
>> average of 3 - 4
>> packets per 5 minute period for 8 hours.
>
> Over the last few day sort has been complaining about packets on
> TCP 0 to an address in our network. I finally got to investigate it
>
> yesterday.
>
> The packets were coming from two IP addresses in China and were tcp
> with
> RST+ACK flags set. I then used our argus <www.qosient.com> logs to
> examine all the traffic between the addresses. It turned out that
> that there was a flood of incoming packets with random source and
> destination
> ports. So snort was triggering on a tiny proportion of the total
> packets.
>
> I concluded that this was fallout from a DOS attack on the two
> Chinese machines in which our address had been spoofed.
>
> Give the frequency of your packets and the likelihood that you
> would have noticed if there was other traffic from the source this
> probably is
> not the same scenario. One thing that would help us work out
> possible causes is some more details about the packets -- TCP or
> UDP, flags etc.
>
> --
> Russell Fulton, Network Security Officer, The University of
> Auckland, New Zealand.
>
>
> --------------------------------------------------------------------
> --- ----
> --------------------------------------------------------------------
> --- -----
>
>
>

- - ----------------------------------------------------------------------
- - -----
- - ----------------------------------------------------------------------
- - ------

- -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPyHWqlLhpjRJgUE5EQJl2gCeMzDWRpvuOB7k1855faVlicb6ANsAoJqd
sO7AIH2qCN6SN7RN/+lbvXwz
=7MW9
- -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQIVAwUBPyHY0pMRMj30dWmZAQJysQ//U8MjzNQcnn0xVL33ku7XmzcfUZLZ0asI
rK8u9CVO0zxtOL69h3Cu+BNx/S3U+15PTcSgW4UwvY2mUrAwdr/GfnLOee5USN2p
5Zq7O4Od61P4LRnpikTtpU+RpBO97OTNqeBnf5xwJxATQZwUVxEM+9YrntN9pa1Z
L8B7zus6tFyFchxU4jnMR4NJuifSsORqeRwSCmj9ppPYg6/0c28bBqtGxk1cHe/m
utT0ozqi94dW1rrgXvuZX/+eGu1hfQyA/GSPgYsnSwodgvjy+9utU5X61ryg1Q5H
MS0skdaw8c7xS/PvH7ggaLXgiaGcnXJzoE5+/EZmTEhIGmKZIKObGfQhyHk0U8La
wjYziZ5uo0W4tRS2fiLE9LNZH4Vnq1Dowj2lea2PYSnVTAn6CHEUpGQz5CDzvwtz
7PJSXoV7EUrybGqnedtJbd5l7FzRh565OOAZr5Jg+lSmW2NzXbdgyFOXbKDeqM0R
W/LR6rXga1DXuwX1KbWfSp14Xuai1rxUXRzb9RDQv/JZGy+6SQ5K60Ls/aK0aBTw
T8KgdcwEd7GgGRTCXC1PBzjDV2rx1L+m4sRhZ/WjENQXX+ezdMhnm/F8NgaFXpyH
W9TyFFaJDWioVMQkEN+P3ZFWYl0aoLkyg0J9UF2wY4UOvoWOzQWWOzuUEU4O54l1
16kcsq2ABU0=
=jVYJ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Giles Coochey: "Re: First time security issue."
• In reply to: Toby Miller: "RE: Port 0 packets"
• Next in thread: Dave Paris: "Re: Port 0 packets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]