ftp tcp reset floods
- From: "fraz" <frazamatazzle@xxxxxxxxx>
- Date: 20 Nov 2006 12:59:36 -0800
anyone familiar with something going around that is doing tcp resets on
ftp ports against akamai servers (err, 15% of the internet akamai)?
I have something jumping from one windows pc to another using them to
burst hundreds of thousands of small (less than 50 bytes) ftp packets
against various akamai
servers. I have sniffed the traffic, and it consists of small packets
with the tcp reset flag set to 1 coming from a non-privileged port on
the pc (e.g. 1046) and going against port 21 on the remote machine.
This is followed by an ack response from the remote machine (which is
listed as a duplicate ack) back to port 1046. Rinse and repeat a few
hundred thousand times.
This traffic brings the cpu utilization on our router quickly up to
100% at which point it starts to dump services. I am not sure if this
is an attempt to participate in a DDoS against the remote machines, or
if it is an attempt to tank my router.
Windows pcs have updated anti-virus (CA), are NOW running windows
firewall,
and are fully patched to today (although they may have been compromised
at any time in the past, who knows). Several have had on-line f-secure
and symantec scans in safe-mode that show nothing. Once I turn on
Windows Firewall (it was turned off to allow some administration via CA
Antivirus admin console and for Enterprise ghost functions to work),
that seems to stop the traffic, but I still must have a a nasty bug
waiting to pounce.
Any help would be appreciated.
.
- Prev by Date: Re: Security Certificate Error message when visiting my bank web-site
- Next by Date: Re: Private or encryption box?
- Previous by thread: Re: Security Certificate Error message when visiting my bank web-site
- Next by thread: Re: Private or encryption box?
- Index(es):
Relevant Pages
|
