Re: repeated SYN packets to port 80

From: John Sage (jsage@finchhaven.com)
Date: 03/09/02


From: "John Sage" <jsage@finchhaven.com>
Date: Sat, 09 Mar 2002 15:27:54 GMT

Without accepting a connection and seeing what comes next, (which you
probably don't want to do ;-) it's impossible to say completely what's going
on.

I'd bet a thousand bucks it's Code Red/Nimda probes, however.

These have become a relentless Internet background noise.

Here's a sample from my firewall logs:

Mar 8 22:18:26 greatwall snort: [1:0:0] Potential CodeRed/Nimda probe {TCP}
 12.229.147.250:2184 -> 12.82.141.194:80
Mar 8 22:18:29 greatwall snort: [1:0:0] Potential CodeRed/Nimda probe {TCP}
 12.229.147.250:2184 -> 12.82.141.194:80

Mar 8 22:18:26 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.229.147.250:2184 12.82.141.194:80
 L=48 S=0x00 I=6283 F=0x4000 T=121 SYN (#64)
Mar 8 22:18:29 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.229.147.250:2184 12.82.141.194:80
 L=48 S=0x00 I=6709 F=0x4000 T=121 SYN (#64)

Fri Mar 8 22:18:26 2002 12.229.147.250 [8 hops]: Windows 2000 (9)
 12.229.147.250:2184 -> 12.82.141.194:80
Fri Mar 8 22:18:29 2002 12.229.147.250 [8 hops]: Windows 2000 (9)
 12.229.147.250:2184 -> 12.82.141.194:80

I get anywhere from 50 to 200 of these a day, every day, day in day out,
since late last summer...

HTH..

- John

-- 
Most people don't type their own logfiles;  but, what do I care?

> [My apologies beforehand if this is the incorrect forum for this post. > If so, please direct me to the proper group.] tcplogd of my linux box > logs repeated "www connection attempt from xxx" where xxx is some IP > address out there in the ether. These log entries repeat approximately > every few seconds or minutes for days. And they're not coming from just > one address either -- every day or so a new machine jumps in. > I've looked at the packets with tcpdump and they appear to my untrained > eye to be simple SYN packets. It looks sort of like a DDoS attack, but > instead of a SYN flood, it's a SYN trickle, since the total number of > machines I've noticed sending at any one time is typically under five > (so far), and they don't send *that* frequently. I didn't notice any > degradation in performance -- I just happened to notice all these > entries in my log files. Besides, why attack my piddly server? I'm > running the latest stable Debian with all security updates and Apache > webserver. For now I've closed down port 80. Any clues as to what's > going on, and what the appropriate response on my part would be (if > any)? My syslog files are huge with all these entries. > TIA, > Paul



Relevant Pages

  • weird packets.. anyone?
    ... I've got this today in my logs: ... each of connection was followed by the following entries in the log: ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: How Stupid Is Mottershead?
    ... From the USCF Issues Forum this morning. ... The logs were being generated by software that I ... USCF Forums database, I could have tampered with that, too. ... Once the connection is established between an IP ...
    (rec.games.chess.politics)
  • Re: Racoon
    ... Debian racoon Logs; ... 22:27:11 ipsec,debug,packet HASH computed: ... I want to make using racoon IPSEC connection. ...
    (Debian-User)
  • Re: SBS Dial-up Connector - Connects unexpectedly.
    ... If you have turned up the logging on RRAS and made sure it logs everything, ... it should turn up in the systemlog on the server. ... that the connection can't be made. ... > discount spyware on my client PC's. ...
    (microsoft.public.windows.server.sbs)
  • Debugging and ETL logs posted using Vista Outlook Express
    ... I sent debugging logs to 2 MSFTs (from Outlook). ... I also sent the ETL logs to a thread and posted the other logs in another thread here. ... So when WMDC failed to ever make a successful syn, I did an uninstall from the control panel, a cold reboot, then reinstalled the software after downloading WMDC again in case it had been updated. ...
    (microsoft.public.pocketpc.activesync)