flood of SYN packets to port 110

From: Brian Collins (listbc_at_newnanutilities.org)
Date: 12/23/03

  • Next message: J Bailes: "Unusual port scan?" 
    Date: Tue, 23 Dec 2003 12:59:49 -0500
To: incidents@securityfocus.com

    Sent this to the intrusions list, thought it would likely be worthwhile to
    post it here as well.

    We are an ISP with 8000+ cable modem customers. About an hour ago we had a
    NAT box start slowing down. Checking into that problem, we discovered at
    least three customer machines sending anywhere from 500 to 1000 packets per
    second to an IP apparently belonging to a Netherlands cable modem ISP,
    namely 81.68.130.224, all destined for port 110, all SYN packets, length of
    48 bytes. TCP sequence numbers change in what appears to be a normal
    fashion, source ports increment from 1025 on up to just below 5000, then
    start back over.

    Two of the machines show as Win2k Pro to an nmap fingerprint. One showed
    up as a Tektronix printer, but nmap didn't get sufficient TCP responses so
    I'm discounting that for now. All 3 have port 113 open, which seems
    unusual. Two of these are in homes, one in a business.

    We're Googling for similar things now. Also wondering whether any of you
    have seen similar traffic, might have an idea what this is. I have placed
    a capture of just over 200,000 bytes of this to:
    http://mirror.newnanutilities.org/packetdump/. I'll post more packet
    captures later if it seems helpful.

    Thanks,
    --Brian Collins
    SysAdmin/NetAdmin/Security Person
    Newnan Utilities

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: J Bailes: "Unusual port scan?"

    Relevant Pages

    • Re: Info from LINKSYS port 8080
      ... What if the ISP closed outgoing traffic on port 808 via the UBR that the ... cable modem was attached to? ... I've tried accessing the router from multiple ...
      (comp.security.firewalls)
    • Re: View asp.net site on a computer ?
      ... All I have is a cable modem. ... to send port 80 to your IIS computer, then send your external IP address ... Afterwards you can close port ... Who is a good isp that supports asp.net? ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: RR: Yay or Nay?
      ... Road Runner cable modem. ... own server grants him, ... For my current ISP, I had to lie and say I was running ... The speeds up and down are better that we get at work with the T1. ...
      (alt.os.linux)
    • Strange smtp problem
      ... Client with docsis cable modem Internet access - upgraded from regular ... change (isp). ... I have used telnet to troubleshoot. ... Sonicwall on out - have not yet set up detail logging on Sonicwall - ...
      (microsoft.public.exchange2000.connectivity)
    • Re: Faulty Port 25 (SMTP)?!?!
      ... It's very possible that your existing identity may have some registry corruption and creating a new identity creates all new registry keys for that identity (in effect, giving you an fresh, clean setup of Outlook Express). ... If the problem persists in a new identity, then I'd would still think it is a problem with your ISP and I would contact them or review whatever info they may have on a website. ... other PC and which is connected to the SAME router ... ISP than the one with my cable modem! ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)