I cannot find anything in the literature about this attack method, As a WILD guess it is a mutation of one of the DDOS tools with new ports. but this underscores the importance of martian filters on border routers and also filtering outbounds so that spoofed addresses cannot leave your border routers. Cisco also has an obscure command to verify the path but it drops the router into process switch mode as I recall, If I am wrong please correct Scott "Matthew R. Potter" wrote:
Hi,
Has anyone else noticed probes against their network with a spoofed source address and Src (80) and Dst(2183) Yes, all from Reserved(Private) IP's.. Over and over and over.. At two minute intervals.
Mar 9 11:48:52 xxxxxxxx ipmon[23116]: 11:48:52.169293 xl1 @0:4 b 10.2.8.31,80 -> xxx.xxx.xxx.xxx,51419 PR tcp len 20 40 -AF Mar 9 11:49:28 xxxxxxxx ipmon[23116]: 11:49:28.286393 xl1 @0:3 b 172.16.0.142,80 -> xxx.xxx.xxx.xxx,6736 PR tcp len 20 163 -AFP
begins again... in 2 minutes.. same IP's, Flags and ports.
M.