Just got hit by a scan for TCP port 53. It is unusual in that each SYN packet has an associated RST packet with almost identical timestamp. Any idea which vulnerability they are trying to use? It smells like an attack on some NAT box. Logs are GMT. 2001/06/04-12:03:42.677548 216.207.243.167.2417 > 203.34.97.5.53: S 737509983:737509983(0) win 32120 <mss 1460,sackOK,timestamp 67939961 0,nop,wscale 0> (DF) 2001/06/04-12:03:42.687548 216.207.243.167.2417 > 203.34.97.5.53: R 0:0(0) win 0 2001/06/04-12:03:43.527483 216.207.243.167.2420 > 203.34.97.8.53: S 734717774:734717774(0) win 32120 <mss 1460,sackOK,timestamp 67940061 0,nop,wscale 0> (DF) 2001/06/04-12:03:43.537478 216.207.243.167.2420 > 203.34.97.8.53: R 0:0(0) win 0 2001/06/04-12:03:43.547473 216.207.243.167.2421 > 203.34.97.9.53: S 736268655:736268655(0) win 32120 <mss 1460,sackOK,timestamp 67940061 0,nop,wscale 0> (DF) 2001/06/04-12:03:43.547473 216.207.243.167.2421 > 203.34.97.9.53: R 0:0(0) win 0 2001/06/04-12:03:43.557468 216.207.243.167.2422 > 203.34.97.10.53: S 737261904:737261904(0) win 32120 <mss 1460,sackOK,timestamp 67940061 0,nop,wscale 0> (DF) 2001/06/04-12:03:43.567463 216.207.243.167.2422 > 203.34.97.10.53: R 0:0(0) win 0 2001/06/04-12:03:43.577458 216.207.243.167.2423 > 203.34.97.11.53: S 739120319:739120319(0) win 32120 <mss 1460,sackOK,timestamp 67940061 0,nop,wscale 0> (DF) 2001/06/04-12:03:43.577458 216.207.243.167.2423 > 203.34.97.11.53: R 0:0(0) win 0 etc.
This archive was generated by hypermail 2b30 : Mon Jun 04 2001 - 07:16:21 PDT