On Sun, 27 Jun 2010 17:22:51 -0400 (EDT) khatfield@socllc.net wrote:
Here is an example report we received from AT&T: 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=23,dp=1024,min=212.1.185.6,max=212.1.191.127,Jun27-04:21:01,Jun27-04:29:26) (USI-amsxaid01) 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=16,dp=3072,min=212.1.189.1,max=212.1.188.118,Jun27-04:21:15,Jun27-04:29:09) (USI-amsxaid01) 04:36:44 x.x.x.x 0.0.0.0 [TCP-SWEEP]
This looks like the trademark signature of back scatter as a result of someone using the juno.c or derivative code to SYN flood a host. You are most likely getting this traffic from a host that is getting attacked. In the junos.c code you'll see this: syn->sport = htons(1024 + (random() & 2048)); A random number is ANDed against 2048, the result is then added to 1024. What will be added is always either 0 or 2048, because 2048 has only one bit set. 1024 + 2048 = 3072. Therefore, syn-sport will only ever equal 1024 or 3072. Or in your case, it shows up as the dport on the way back. John