In the past few day we have been packeted continuously. Now we have had the
source blocked at backbone level, however the attack has drawn my
curiosity...
Here is a brief TCPdump sequence... the packets were all similar to these.
Please note that I have sanitized the log by substituting ATTACKER for the
source IP and OURSELVES for the destination...
01:04:31.177220 ATTACKER.1168 > OURSELVES.80: . ack
3789755079 win 17376 <nop,nop,timestamp 93880 190001612> (DF)
4500 0034 5c8f 4000 3406 3a6a 96d9 8d92
c2f3 c86b 0490 0050 d639 329b e1e3 12c7
8010 43e0 d4d9 0000 0101 080a 0001 6eb8
0b53 31cc
01:04:31.179710 ATTACKER.1168 > OURSELVES.80: . ack
3789755083 win 17376 <nop,nop,timestamp 93881 190001612> (DF)
4500 0034 5c90 4000 3406 3a69 96d9 8d92
c2f3 c86b 0490 0050 d639 329b e1e3 12cb
8010 43e0 d4d4 0000 0101 080a 0001 6eb9
0b53 31cc
01:04:31.181333 ATTACKER.1168 > OURSELVES.80: . ack
3789755079 win 17376 <nop,nop,timestamp 93880 190001612> (DF)
4500 0034 5c8f 4000 3406 3a6a 96d9 8d92
c2f3 c86b 0490 0050 d639 329b e1e3 12c7
8010 43e0 d4d9 0000 0101 080a 0001 6eb8
0b53 31cc
01:04:31.185397 ATTACKER.1168 > OURSELVES.80: . ack
3789755083 win 17376 <nop,nop,timestamp 93881 190001612> (DF)
4500 0034 5c90 4000 3406 3a69 96d9 8d92
c2f3 c86b 0490 0050 d639 329b e1e3 12cb
8010 43e0 d4d4 0000 0101 080a 0001 6eb9
0b53 31cc
01:04:31.186669 ATTACKER.1162 > OURSELVES.80: . ack
3790259423 win 6708 <nop,nop,timestamp 94158 190001870> (DF)
4500 0034 6917 4000 3406 2de2 96d9 8d92
c2f3 c86b 048a 0050 d56a 02dd e1ea c4df
8010 1a34 7ae1 0000 0101 080a 0001 6fce
0b53 32ce
01:04:31.189714 ATTACKER.1168 > OURSELVES.80: . ack
3789755079 win 17376 <nop,nop,timestamp 93880 190001612> (DF)
4500 0034 5c8f 4000 3406 3a6a 96d9 8d92
c2f3 c86b 0490 0050 d639 329b e1e3 12c7
8010 43e0 d4d9 0000 0101 080a 0001 6eb8
0b53 31cc
01:04:31.191222 ATTACKER.1168 > OURSELVES.80: . ack
3789755083 win 17376 <nop,nop,timestamp 93881 190001612> (DF)
4500 0034 5c90 4000 3406 3a69 96d9 8d92
c2f3 c86b 0490 0050 d639 329b e1e3 12cb
8010 43e0 d4d4 0000 0101 080a 0001 6eb9
0b53 31cc
01:04:31.195460 ATTACKER.1162 > OURSELVES.80: . ack
3790259423 win 6708 <nop,nop,timestamp 94158 190001870> (DF)
4500 0034 6917 4000 3406 2de2 96d9 8d92
c2f3 c86b 048a 0050 d56a 02dd e1ea c4df
8010 1a34 7ae1 0000 0101 080a 0001 6fce
0b53 32ce
01:04:31.196692 ATTACKER.1160 > OURSELVES.80: . ack
3770164031 win 17376 <nop,nop,timestamp 94160 190001870> (DF)
4500 0034 0fbb 4000 3406 873e 96d9 8d92
c2f3 c86b 0488 0050 d515 6cb0 e0b8 233f
8010 43e0 8a89 0000 0101 080a 0001 6fd0
0b53 32ce
01:04:31.199818 ATTACKER.1168 > OURSELVES.80: . ack
3789755079 win 17376 <nop,nop,timestamp 93880 190001612> (DF)
4500 0034 5c8f 4000 3406 3a6a 96d9 8d92
c2f3 c86b 0490 0050 d639 329b e1e3 12c7
8010 43e0 d4d9 0000 0101 080a 0001 6eb8
0b53 31cc
Stefano "Raistlin" Zanero
System Administrator Gioco.Net
public PGP key block at http://gioco.net/pgpkeys
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Feb 08 2002 - 09:54:11 PST