Re: repeated SYN packets to port 80
From: John Sage (jsage@finchhaven.com)Date: 03/09/02
- Next message: Ed Franks: "Re: TCP port: 1524 question"
- Previous message: cw: "Re: repeated SYN packets to port 80"
- In reply to: Paul B. Johnson: "repeated SYN packets to port 80"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "John Sage" <jsage@finchhaven.com> Date: Sat, 09 Mar 2002 15:27:54 GMT
Without accepting a connection and seeing what comes next, (which you
probably don't want to do ;-) it's impossible to say completely what's going
on.
I'd bet a thousand bucks it's Code Red/Nimda probes, however.
These have become a relentless Internet background noise.
Here's a sample from my firewall logs:
Mar 8 22:18:26 greatwall snort: [1:0:0] Potential CodeRed/Nimda probe {TCP}
12.229.147.250:2184 -> 12.82.141.194:80
Mar 8 22:18:29 greatwall snort: [1:0:0] Potential CodeRed/Nimda probe {TCP}
12.229.147.250:2184 -> 12.82.141.194:80
Mar 8 22:18:26 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
12.229.147.250:2184 12.82.141.194:80
L=48 S=0x00 I=6283 F=0x4000 T=121 SYN (#64)
Mar 8 22:18:29 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
12.229.147.250:2184 12.82.141.194:80
L=48 S=0x00 I=6709 F=0x4000 T=121 SYN (#64)
Fri Mar 8 22:18:26 2002 12.229.147.250 [8 hops]: Windows 2000 (9)
12.229.147.250:2184 -> 12.82.141.194:80
Fri Mar 8 22:18:29 2002 12.229.147.250 [8 hops]: Windows 2000 (9)
12.229.147.250:2184 -> 12.82.141.194:80
I get anywhere from 50 to 200 of these a day, every day, day in day out,
since late last summer...
HTH..
- John
-- Most people don't type their own logfiles; but, what do I care?> [My apologies beforehand if this is the incorrect forum for this post. > If so, please direct me to the proper group.] tcplogd of my linux box > logs repeated "www connection attempt from xxx" where xxx is some IP > address out there in the ether. These log entries repeat approximately > every few seconds or minutes for days. And they're not coming from just > one address either -- every day or so a new machine jumps in. > I've looked at the packets with tcpdump and they appear to my untrained > eye to be simple SYN packets. It looks sort of like a DDoS attack, but > instead of a SYN flood, it's a SYN trickle, since the total number of > machines I've noticed sending at any one time is typically under five > (so far), and they don't send *that* frequently. I didn't notice any > degradation in performance -- I just happened to notice all these > entries in my log files. Besides, why attack my piddly server? I'm > running the latest stable Debian with all security updates and Apache > webserver. For now I've closed down port 80. Any clues as to what's > going on, and what the appropriate response on my part would be (if > any)? My syslog files are huge with all these entries. > TIA, > Paul
- Next message: Ed Franks: "Re: TCP port: 1524 question"
- Previous message: cw: "Re: repeated SYN packets to port 80"
- In reply to: Paul B. Johnson: "repeated SYN packets to port 80"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
