In the past few day we have been packeted continuously. Now we have had the source blocked at backbone level, however the attack has drawn my curiosity... Here is a brief TCPdump sequence... the packets were all similar to these. Please note that I have sanitized the log by substituting ATTACKER for the source IP and OURSELVES for the destination... 01:04:31.177220 ATTACKER.1168 > OURSELVES.80: . ack 3789755079 win 17376 <nop,nop,timestamp 93880 190001612> (DF) 4500 0034 5c8f 4000 3406 3a6a 96d9 8d92 c2f3 c86b 0490 0050 d639 329b e1e3 12c7 8010 43e0 d4d9 0000 0101 080a 0001 6eb8 0b53 31cc 01:04:31.179710 ATTACKER.1168 > OURSELVES.80: . ack 3789755083 win 17376 <nop,nop,timestamp 93881 190001612> (DF) 4500 0034 5c90 4000 3406 3a69 96d9 8d92 c2f3 c86b 0490 0050 d639 329b e1e3 12cb 8010 43e0 d4d4 0000 0101 080a 0001 6eb9 0b53 31cc 01:04:31.181333 ATTACKER.1168 > OURSELVES.80: . ack 3789755079 win 17376 <nop,nop,timestamp 93880 190001612> (DF) 4500 0034 5c8f 4000 3406 3a6a 96d9 8d92 c2f3 c86b 0490 0050 d639 329b e1e3 12c7 8010 43e0 d4d9 0000 0101 080a 0001 6eb8 0b53 31cc 01:04:31.185397 ATTACKER.1168 > OURSELVES.80: . ack 3789755083 win 17376 <nop,nop,timestamp 93881 190001612> (DF) 4500 0034 5c90 4000 3406 3a69 96d9 8d92 c2f3 c86b 0490 0050 d639 329b e1e3 12cb 8010 43e0 d4d4 0000 0101 080a 0001 6eb9 0b53 31cc 01:04:31.186669 ATTACKER.1162 > OURSELVES.80: . ack 3790259423 win 6708 <nop,nop,timestamp 94158 190001870> (DF) 4500 0034 6917 4000 3406 2de2 96d9 8d92 c2f3 c86b 048a 0050 d56a 02dd e1ea c4df 8010 1a34 7ae1 0000 0101 080a 0001 6fce 0b53 32ce 01:04:31.189714 ATTACKER.1168 > OURSELVES.80: . ack 3789755079 win 17376 <nop,nop,timestamp 93880 190001612> (DF) 4500 0034 5c8f 4000 3406 3a6a 96d9 8d92 c2f3 c86b 0490 0050 d639 329b e1e3 12c7 8010 43e0 d4d9 0000 0101 080a 0001 6eb8 0b53 31cc 01:04:31.191222 ATTACKER.1168 > OURSELVES.80: . ack 3789755083 win 17376 <nop,nop,timestamp 93881 190001612> (DF) 4500 0034 5c90 4000 3406 3a69 96d9 8d92 c2f3 c86b 0490 0050 d639 329b e1e3 12cb 8010 43e0 d4d4 0000 0101 080a 0001 6eb9 0b53 31cc 01:04:31.195460 ATTACKER.1162 > OURSELVES.80: . ack 3790259423 win 6708 <nop,nop,timestamp 94158 190001870> (DF) 4500 0034 6917 4000 3406 2de2 96d9 8d92 c2f3 c86b 048a 0050 d56a 02dd e1ea c4df 8010 1a34 7ae1 0000 0101 080a 0001 6fce 0b53 32ce 01:04:31.196692 ATTACKER.1160 > OURSELVES.80: . ack 3770164031 win 17376 <nop,nop,timestamp 94160 190001870> (DF) 4500 0034 0fbb 4000 3406 873e 96d9 8d92 c2f3 c86b 0488 0050 d515 6cb0 e0b8 233f 8010 43e0 8a89 0000 0101 080a 0001 6fd0 0b53 32ce 01:04:31.199818 ATTACKER.1168 > OURSELVES.80: . ack 3789755079 win 17376 <nop,nop,timestamp 93880 190001612> (DF) 4500 0034 5c8f 4000 3406 3a6a 96d9 8d92 c2f3 c86b 0490 0050 d639 329b e1e3 12c7 8010 43e0 d4d9 0000 0101 080a 0001 6eb8 0b53 31cc Stefano "Raistlin" Zanero System Administrator Gioco.Net public PGP key block at http://gioco.net/pgpkeys ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Feb 08 2002 - 09:54:11 PST