Tons of Source port 80 to random Dest Port Traffic

From: "Tom Hayden" <haydenth@xxxxxxx>
Date: Thu, 18 May 2006 11:02:56 -0400

Attached is a quick short summary of traffic my server ( xx.xx.xx.xx )
has been bombarded with lately. It's a short dump from tethereal. I
can't seem to figure it out - just tons and tons of traffic coming
from a source port of 80 to seemingly random dest. ports. Can someone
help me identify this?

Thanks!

--
Tom
0.000000 205.179.98.153 -> xx.xx.xx.xx TCP www > 1088 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
0.156106 205.179.163.118 -> xx.xx.xx.xx TCP www > 1501 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
0.623511 205.179.12.122 -> xx.xx.xx.xx TCP www > 3041 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
0.643203 65.217.140.2 -> xx.xx.xx.xx TCP www > 3198 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
0.994720 66.89.134.52 -> xx.xx.xx.xx TCP www > 1562 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
1.345049 205.179.149.129 -> xx.xx.xx.xx TCP www > 1944 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
1.851040 12.100.155.209 -> xx.xx.xx.xx TCP www > 4062 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
2.818835 12.102.14.52 -> xx.xx.xx.xx TCP www > 4813 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
3.704693 64.0.131.17 -> xx.xx.xx.xx TCP www > 3444 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
3.861277 12.102.14.94 -> xx.xx.xx.xx TCP www > 4863 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
4.583619 209.114.238.97 -> xx.xx.xx.xx TCP www > 3798 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
4.594220 66.89.134.50 -> xx.xx.xx.xx TCP www > 1560 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
5.270704 12.102.56.76 -> xx.xx.xx.xx TCP www > 4400 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
6.319898 209.114.245.90 -> xx.xx.xx.xx TCP www > 1678 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
6.545658 211.7.246.248 -> xx.xx.xx.xx TCP www > 3509 [SYN, ACK] Seq=0 Ack=1 Win=1024 Len=0 MSS=512 TSV=4157351006 TSER=42941574 WS=0
6.584370 64.93.0.193 -> xx.xx.xx.xx TCP www > 3371 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
6.685362 12.98.248.241 -> xx.xx.xx.xx TCP www > 2672 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024

Follow-Ups:
- Re: Tons of Source port 80 to random Dest Port Traffic
  - From: Deapesh Misra
- Re: Tons of Source port 80 to random Dest Port Traffic
  - From: ilaiy
- RE: Tons of Source port 80 to random Dest Port Traffic
  - From: David Gillett
- Re: Tons of Source port 80 to random Dest Port Traffic
  - From: Mathew Benwell

Prev by Date: Risk Assessment
Next by Date: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
Previous by thread: Risk Assessment
Next by thread: Re: Tons of Source port 80 to random Dest Port Traffic
Index(es):
- Date
- Thread

Relevant Pages

RE: Tons of Source port 80 to random Dest Port Traffic
... Remote servers are under SYN-flood attack using spoofed source ... Tons of Source port 80 to random Dest Port Traffic ... Attached is a quick short summary of traffic my server ( ...
(Security-Basics)
Re: Tons of Source port 80 to random Dest Port Traffic
... As a resolution to the above issue: ... It's a short dump from tethereal. ... > can't seem to figure it out - just tons and tons of traffic coming ... > from a source port of 80 to seemingly random dest. ...
(Security-Basics)
Re: uk pool problem
... there's some kind of firewall between the test system and the NTP server ... possible to have ntpdate use source port 123 without setting the clock. ... ntpd reference server implementation does not enforce that. ... between an ntpd server requesting time and a client requesting time via ...
(comp.protocols.time.ntp)
MS DTC problem
... Server Driver]Distributed transaction error' ... Client side output: ... Source Port: 2940 ... Received Bind call from ...
(microsoft.public.dotnet.distributed_apps)
MS DTC problem
... Server Driver]Distributed transaction error' ... Client side output: ... Source Port: 2940 ... Received Bind call from ...
(microsoft.public.sqlserver)