Increase of DOS attacks using TCP src and/or dst of 0
Anyone else see a massive increase of scanning/dos with TCP source and/or dst port of 0? We started seeing a massive increase today creating some issue with our firewalls. ---- Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
I just scanned through the last 48 hours of logs and did not find anything. We are peering with Level3 (AS 3549) and Verizon (AS 11486). -- Michael Gatti main. 949.371.5474 (UTC -8) On Mar 7, 2012, at 12:45 PM, Matthew Huff wrote:
Anyone else see a massive increase of scanning/dos with TCP source and/or dst port of 0? We started seeing a massive increase today creating some issue with our firewalls.
----
Matthew Huff | 1 Manhattanville Rd
Director of Operations | Purchase, NY 10577
OTA Management LLC | Phone: 914-460-4039
aim: matthewbhuff | Fax: 914-460-4139
On Wed, Mar 7, 2012 at 3:45 PM, Matthew Huff <mhuff@ox.com> wrote:
Anyone else see a massive increase of scanning/dos with TCP source and/or dst port of 0? We started seeing a massive increase today creating some issue with our firewalls.
srs/dst of 0 as measured how? (tcpdump? netflow? app logs?)
On Wed, Mar 7, 2012 at 3:45 PM, Matthew Huff <mhuff@ox.com> wrote:
Anyone else see a massive increase of scanning/dos with TCP source and/or dst port of 0? We started seeing a massive increase today creating some issue with our firewalls. srs/dst of 0 as measured how? (tcpdump? netflow? app logs?) No, however I am seeing an increase in unsolicited syn-ack packets with a wider variety of "from" ports (many 80 still, used to be almost all) but some 22, 113, 4000, 600x, and high "from" ports with "to" ports of 3072 and 1024, many to ip addrs
On 03/07/2012 01:29 PM, Christopher Morrow wrote: that are not targets of A records, so appear to be indiscriminate scans... Source IP's all over the place as expected. Don't know if it is tcptraceroute in a strange mode, or OS fingerprinting attempts, or both. Also don't know if the sources are spoofs or not (rather hard to tell...) Sources don't seem to match up with syn-only packets either, at least on the same day. -- Pete
On Wed, Mar 7, 2012 at 1:45 PM, Matthew Huff <mhuff@ox.com> wrote:
Anyone else see a massive increase of scanning/dos with TCP source and/or dst port of 0? We started seeing a massive increase today creating some issue with our firewalls.
Not seeing a ton of them, but do see a few logged on most all of our server like: Mar 5 07:49:13 server kernel: Shorewall:logflags:DROP:IN=eth2 OUT= MAC=00:07:e9:0f:39:f1:00:03:31:a5:74:00:08:00 SRC=178.18.16.101 DST=x.x.x.x LEN=56 TOS=0x00 PREC=0x00 TTL=204 ID=49665 DF PROTO=TCP SPT=0 DPT=0 WINDOW=37009 RES=0x14 URG ACK RST SYN FIN URGP=37422 -- Chris Stone AxisInternet, Inc. www.axint.net
Out of curiosity - Is it possible it's a command and control network, rather than directly an attack? On Wed, Mar 7, 2012 at 2:41 PM, Chris Stone <axisml@gmail.com> wrote:
On Wed, Mar 7, 2012 at 1:45 PM, Matthew Huff <mhuff@ox.com> wrote:
Anyone else see a massive increase of scanning/dos with TCP source and/or dst port of 0? We started seeing a massive increase today creating some issue with our firewalls.
Not seeing a ton of them, but do see a few logged on most all of our server like:
Mar 5 07:49:13 server kernel: Shorewall:logflags:DROP:IN=eth2 OUT= MAC=00:07:e9:0f:39:f1:00:03:31:a5:74:00:08:00 SRC=178.18.16.101 DST=x.x.x.x LEN=56 TOS=0x00 PREC=0x00 TTL=204 ID=49665 DF PROTO=TCP SPT=0 DPT=0 WINDOW=37009 RES=0x14 URG ACK RST SYN FIN URGP=37422
-- Chris Stone AxisInternet, Inc. www.axint.net
-- -george william herbert george.herbert@gmail.com
participants (6)
-
Chris Stone
-
Christopher Morrow
-
George Herbert
-
Matthew Huff
-
Mike Gatti
-
Pete Carah