Re: Ideas? Port 21 SYNs, slow

From: Jason Giglio (jgiglioat_private)
Date: Thu Jul 11 2002 - 15:15:17 PDT

  • Next message: Matthew Rich: "interesting backdoor" 

    You are probably seeing backscatter from a DDoS attack.  Someone is probably spoofing your address as the source of the attack, among a lot of others.  That also explains why the server went down eventually.  Also the controversial political nature of the site would make it a target of attack.

Just my guess.

On 11 Jul 2002 02:41:08 -0000
Bubsy <pizzapoweredat_private> wrote:

> 
> 
>      I would like to pick your collective brains 
> regarding what I believe is an attack of some form, 
> even if it is very slow. I noticed a day and a half 
> worth of continuous port 21 SYNs. Because there were 
> never any completed connections, this would not show up 
> in the FTP logs, but I watch all traffic, maybe I need 
> a life :) . I noticed an unusual amount of FTP port 
> SYNs that I was acknowledging, which were being 
> ignored. One or more SYNs would come in at about the 
> same time, to which I would respond with three 
> acknowledgements per SYN and then quit. Many of these 
> incoming SYNs had the same checksum. Strange, maybe 
> forgery?
> 
> 65.222.227.193 was the IP of the first FTP SYN 
> attempts, I portscanned that IP and found a webserver 
> (reverse DNS to deadarab.com) which was selling 
> anti-Osama goodies and other things. I also found 
> PcAnywhere, LDAP and many other things, and the FTP 
> SYNs continued. I later rescanned the same IP and found 
> that the services were taken down. No conceivable valid 
> WHOIS contact info, no surprise. More strangeness.
> 
> I said to myself "Hey me, is this a DDos or is this 
> meant for me?"? I assumed this was intended for me 
> because of the disappearing services on the initial 
> offending IP. I blocked 65.222.227.* and watched. Then 
> came SYNs from 65.222.225.3. I allowed a few to be 
> acknowledged and dumped them to compare to the first 
> ones.
> 
> 
> From 65.222.227.193
> 
> 
> 0x0000   00 10 DC 03 90 70 00 04-5A EE 19 15 08 00 45 
> 08   ...p..Z....E.
> 0x0010   00 28 A1 CE 00 00 F3 06-3D D3 41 DE E3 C1 C0 
> A8   .(...=A
> 0x0020   01 DE 27 3B 00 15 17 A0-00 00 00 00 00 00 50 
> 02   .';.........P.
> 0x0030   FF FF 88 CC 00 00 88 88-88 88 88 88 88 88 88 
> 88   ..
> 
> new one from 65.222.225.3
> 
> 0x0000   00 10 DC 03 90 70 00 04-5A EE 19 15 08 00 45 
> 08   ...p..Z....E.
> 0x0010   00 28 CA 6B 00 00 F3 06-17 F4 41 DE E1 03 C0 
> A8   .(k....A.
> 0x0020   01 DE 48 00 00 15 03 92-00 00 00 00 00 00 50 
> 02   .H..........P.
> 0x0030   FF FF 7E D3 00 00 88 88-88 88 88 88 88 88 88 
> 88   ~..
> 
> 
> 
> Hmm. Oh yes I am 127.0.0.1 :) of course. Now with 
> 65.222.225.* blocked, I decided to WHOIS them, and I 
> got the idea that some admin or network guy had too 
> much time on his (or her, I'm not sexist) hands.
> 
> ipw: Query: !NETBLK-UU-65-222-224
> DIOS / Maryland Online Network (NETBLK-UU-65-222-224)
>    3234 Eastern Avenue
>    Baltimore, MD 21224
>    US
> 
>    Netname: UU-65-222-224
>    Netblock: 65.222.224.0 - 65.222.239.255
>    Maintainer: DIOS
> 
>    Coordinator:
>       Kluver, Robert  (RK933-ARIN)  adminat_private
>       410-558-0320
> 
> 
> In the next hour, similar stuff came from these IPs.
> 
> 65.222.225.3
> 65.222.224.2
> 65.207.91.38
> 65.222.227.1
> 65.222.227.58
> 65.222.227.193
> 65.222.227.255   (yeah, nice IP there) and
> 212.169.100.130
> 
> The two odd ones come to:
> 
> ipw: Query: net 65.207.91.38
> UUNET Technologies, Inc. (NETBLK-UUNET65)
>    3060 Williams Drive, Suite 601
>    Fairfax, VA 22031
>    US
> 
>    Netname: UUNET65
>    Netblock: 65.192.0.0 - 65.223.255.255
>    Maintainer: UU
> 
> and
> 
> ipw: Query: 212.169.100.130
> inetnum:      212.169.100.0 - 212.169.100.255
> netname:      NO-NETCOM-CUST-NEXTFRAME
> descr:        Customer Net for Nextframe AS
> country:      NO
> admin-c:      MH20735-RIPE
> tech-c:       NGH3-RIPE
> status:       ASSIGNED PA
> 
> 
> which rev. DNSs to cursed.darkisp.net, which has a 
> website which looks to me like a typical shell etc. 
> machine, which makes sense if the guy (or gal) has a 
> shell and wanted to see if I blocked his nets. The last 
> set of whatever this was came as a group attempt, which 
> I logged in an attempt to spot a pattern. I'm including 
> an excerpt from my log to see if anyone has any ideas 
> on what this might be. If anyone has any ideas, I would 
> be curious to hear them. Whatever this is appears to be 
> designed to defeat traditional logs by not actually 
> completing a connection, and by being slow enough as to 
> not establish a tangible pattern. I also assume that 
> the packets were not redirected, because shortly after 
> I would block one IP, a new IP would start in, makes 
> sense if the recipient saw the acks stop. I included 
> the tail end of the log, all "attacks" ended at the 
> endtime of my log. Thanks for your ideas people!
> 
> #Fields: date time action protocol src-ip dst-ip 
> src-port dst-port size tcpflags tcpsyn tcpack tcpwin 
> icmptype icmpcode info
> 
> 
> 2002-07-09 14:34:43 DROP TCP 127.0.0.1 65.222.225.3 21 
> 4180 40 A 4110057646 381616129 16616 - - -
> 2002-07-09 14:36:23 DROP TCP 127.0.0.1 65.222.224.2 21 
> 20236 40 A 4134902085 3394306049 16616 - - -
> 2002-07-09 14:37:16 DROP TCP 127.0.0.1 65.222.225.3 21 
> 41990 40 A 4148384846 2762276865 16616 - - -
> 2002-07-09 14:39:49 DROP TCP 127.0.0.1 65.222.225.3 21 
> 65232 40 A 4186694867 1689255937 16616 - - -
> 2002-07-09 14:42:23 DROP TCP 127.0.0.1 65.222.225.3 21 
> 5443 40 A 4225090877 2587623425 16616 - - -
> 2002-07-09 14:44:56 DROP TCP 127.0.0.1 65.222.225.3 21 
> 20112 40 A 4263412809 56098817 16616 - - -
> 2002-07-09 14:47:29 DROP TCP 127.0.0.1 65.222.225.3 21 
> 57345 40 A 6764770 2667642881 16616 - - -
> 2002-07-09 15:07:56 DROP TCP 127.0.0.1 65.222.225.3 21 
> 59280 40 A 313933308 2912026625 16616 - - -
> 2002-07-09 15:10:30 DROP TCP 127.0.0.1 65.222.225.3 21 
> 11686 40 A 352234325 1913913345 16616 - - -
> 2002-07-09 15:14:16 DROP TCP 127.0.0.1 65.222.225.3 21 
> 3327 40 A 408857607 3624730625 16616 - - -
> 2002-07-09 15:14:45 DROP TCP 127.0.0.1 65.207.91.38 21 
> 65376 40 A 416115621 619642881 16616 - - -
> 2002-07-09 15:18:06 DROP TCP 127.0.0.1 65.222.225.3 21 
> 26290 40 A 466441213 2279211009 16616 - - -
> 2002-07-09 15:23:49 DROP TCP 127.0.0.1 65.222.227.1 21 
> 4956 40 A 552137575 1170931713 16616 - - -
> 2002-07-09 15:24:29 DROP TCP 127.0.0.1 65.222.227.58 21 
> 16132 40 A 562152023 2356543489 16616 - - -
> 2002-07-09 15:25:28 DROP TCP 127.0.0.1 65.222.227.193 
> 21 34760 40 A 576941514 3932422145 16616 - - -
> 2002-07-09 15:27:39 DROP TCP 127.0.0.1 65.222.227.1 21 
> 25326 40 A 609659434 4036886529 16616 - - -
> 2002-07-09 15:28:19 DROP TCP 127.0.0.1 65.222.227.58 21 
> 64399 40 A 619689148 4258922497 16616 - - -
> 2002-07-09 15:29:18 DROP TCP 127.0.0.1 65.222.227.193 
> 21 50111 40 A 634455459 2386165761 16616 - - -
> 2002-07-09 15:31:29 DROP TCP 127.0.0.1 65.222.227.1 21 
> 26659 40 A 667182451 804323329 16616 - - -
> 2002-07-09 15:32:09 DROP TCP 127.0.0.1 65.222.227.58 21 
> 60889 40 A 677316192 4153802753 16616 - - -
> 2002-07-09 15:33:07 DROP TCP 127.0.0.1 65.222.227.193 
> 21 25896 40 A 691866866 3945267201 16616 - - -
> 2002-07-09 15:35:19 DROP TCP 127.0.0.1 65.222.227.1 21 
> 8308 40 A 724771123 1846280193 16616 - - -
> 2002-07-09 15:35:59 DROP TCP 127.0.0.1 65.222.227.58 21 
> 11133 40 A 734953939 2234843137 16616 - - -
> 2002-07-09 15:36:57 DROP TCP 127.0.0.1 65.222.227.193 
> 21 59740 40 A 749290458 75169793 16616 - - -
> 2002-07-09 15:39:08 DROP TCP 127.0.0.1 65.222.227.1 21 
> 48063 40 A 782099076 732954625 16616 - - -
> 2002-07-09 15:39:49 DROP TCP 127.0.0.1 65.222.227.58 21 
> 36191 40 A 792386019 2452226049 16616 - - -
> 2002-07-09 15:40:46 DROP TCP 127.0.0.1 65.222.227.193 
> 21 55307 40 A 806776048 3227779073 16616 - - -
> 2002-07-09 15:42:59 DROP TCP 127.0.0.1 65.222.227.1 21 
> 40638 40 A 839891034 3176071169 16616 - - -
> 2002-07-09 15:43:39 DROP TCP 127.0.0.1 65.222.227.58 21 
> 1761 40 A 850012211 2602893313 16616 - - -
> 2002-07-09 15:44:36 DROP TCP 127.0.0.1 65.222.227.193 
> 21 19276 40 A 864273794 731185153 16616 - - -
> 2002-07-09 15:47:24 DROP TCP 127.0.0.1 65.222.227.1 21 
> 65154 40 A 906143613 659161089 16616 - - -
> 2002-07-09 15:48:16 DROP TCP 127.0.0.1 65.222.227.58 21 
> 5601 40 A 919156152 3022585857 16616 - - -
> 2002-07-09 15:49:32 DROP TCP 127.0.0.1 65.222.227.193 
> 21 37316 40 A 938220005 893845505 16616 - - -
> 2002-07-09 15:50:38 DROP TCP 127.0.0.1 65.222.227.255 
> 21 59731 40 A 954865216 3894345729 16616 - - -
> 2002-07-09 15:52:31 DROP TCP 127.0.0.1 65.222.227.1 21 
> 59503 40 A 983194631 2775973889 16616 - - -
> 2002-07-09 15:53:20 DROP TCP 127.0.0.1 65.222.227.58 21 
> 19743 40 A 995403697 896466945 16616 - - -
> 2002-07-09 15:54:38 DROP TCP 127.0.0.1 65.222.227.193 
> 21 16729 40 A 1014842293 3790274561 16616 - - -
> 2002-07-09 15:55:44 DROP TCP 127.0.0.1 65.222.227.255 
> 21 28979 40 A 1031448608 830930945 16616 - - -
> 2002-07-09 15:57:38 DROP TCP 127.0.0.1 65.222.227.1 21 
> 7554 40 A 1059961455 3073376257 16616 - - -
> 2002-07-09 15:58:28 DROP TCP 127.0.0.1 65.222.227.58 21 
> 10239 40 A 1072298522 1625358337 16616 - - -
> 2002-07-09 15:59:44 DROP TCP 127.0.0.1 65.222.227.193 
> 21 40606 40 A 1091370715 1573912577 16616 - - -
> 2002-07-09 16:00:49 DROP TCP 127.0.0.1 65.222.227.255 
> 21 24397 40 A 1107641688 2339176449 16616 - - -
> 2002-07-09 16:02:46 DROP TCP 127.0.0.1 65.222.227.1 21 
> 4631 40 A 1137074499 1547239425 16616 - - -
> 2002-07-09 16:03:35 DROP TCP 127.0.0.1 65.222.227.58 21 
> 24265 40 A 1149237606 2326331393 16616 - - -
> 2002-07-09 16:04:50 DROP TCP 127.0.0.1 65.222.227.193 
> 21 46334 40 A 1167975572 1481703425 16616 - - -
> 2002-07-09 16:05:54 DROP TCP 127.0.0.1 65.222.227.255 
> 21 43932 40 A 1184125492 2120286209 16616 - - -
> 2002-07-09 16:07:54 DROP TCP 127.0.0.1 65.222.227.1 21 
> 18067 40 A 1213983467 2356871169 16616 - - -
> 2002-07-09 16:08:43 DROP TCP 127.0.0.1 65.222.227.58 21 
> 25766 40 A 1226378215 3776249857 16616 - - -
> 2002-07-09 16:09:54 DROP TCP 127.0.0.1 65.222.227.193 
> 21 34759 40 A 1244087238 1134624769 16616 - - -
> 2002-07-09 16:11:00 DROP TCP 127.0.0.1 65.222.227.255 
> 21 32819 40 A 1260652350 1536950273 16616 - - -
> 2002-07-09 16:12:59 DROP TCP 127.0.0.1 65.222.227.1 21 
> 30896 40 A 1290440103 57933825 16616 - - -
> 2002-07-09 16:13:50 DROP TCP 127.0.0.1 65.222.227.58 21 
> 27243 40 A 1303242109 1163526145 16616 - - -
> 2002-07-09 16:15:01 DROP TCP 127.0.0.1 65.222.227.193 
> 21 4791 40 A 1321009627 51183617 16616 - - -
> 2002-07-09 16:16:07 DROP TCP 127.0.0.1 65.222.227.255 
> 21 16114 40 A 1337329759 1207566337 16616 - - -
> 2002-07-09 16:18:05 DROP TCP 127.0.0.1 65.222.227.1 21 
> 60937 40 A 1367027709 2753101825 16616 - - -
> 2002-07-09 16:18:57 DROP TCP 127.0.0.1 65.222.227.58 21 
> 7945 40 A 1379977654 1515520001 16616 - - -
> 2002-07-09 16:20:08 DROP TCP 127.0.0.1 65.222.227.193 
> 21 58487 40 A 1397713040 1683357697 16616 - - -
> 2002-07-09 16:21:13 DROP TCP 127.0.0.1 65.222.227.255 
> 21 7852 40 A 1414079077 1374027777 16616 - - -
> 2002-07-09 16:23:13 DROP TCP 127.0.0.1 65.222.227.1 21 
> 31829 40 A 1444010446 1832910849 16616 - - -
> 2002-07-09 16:24:03 DROP TCP 127.0.0.1 65.222.227.58 21 
> 42134 40 A 1456597809 2370043905 16616 - - -
> 2002-07-09 16:25:15 DROP TCP 127.0.0.1 65.222.227.193 
> 21 48191 40 A 1474677036 1793261569 16616 - - -
> 2002-07-09 16:26:19 DROP TCP 127.0.0.1 65.222.227.255 
> 21 18985 40 A 1490531613 4274192385 16616 - - -
> 2002-07-09 16:28:20 DROP TCP 127.0.0.1 65.222.227.1 21 
> 58435 40 A 1520806308 628293633 16616 - - -
> 2002-07-09 16:29:09 DROP TCP 127.0.0.1 65.222.227.58 21 
> 33063 40 A 1533094769 587792385 16616 - - -
> 2002-07-09 16:30:22 DROP TCP 127.0.0.1 65.222.227.193 
> 21 34872 40 A 1551511862 3294625793 16616 - - -
> 2002-07-09 16:31:24 DROP TCP 127.0.0.1 65.222.227.255 
> 21 55246 40 A 1566882639 2254635009 16616 - - -
> 2002-07-09 16:33:26 DROP TCP 127.0.0.1 65.222.227.1 21 
> 282 40 A 1597492247 2361720833 16616 - - -
> 2002-07-09 16:34:15 DROP TCP 127.0.0.1 65.222.227.58 21 
> 8368 40 A 1609821078 2197422081 16616 - - -
> 2002-07-09 16:35:30 DROP TCP 127.0.0.1 65.222.227.193 
> 21 22093 40 A 1628558895 2873360385 16616 - - -
> 2002-07-09 16:36:29 DROP TCP 127.0.0.1 65.222.227.255 
> 21 21506 40 A 1643280221 723320833 16616 - - -
> 2002-07-09 16:38:32 DROP TCP 127.0.0.1 65.222.227.1 21 
> 49495 40 A 1673999831 1337917441 16616 - - -
> 2002-07-09 16:39:23 DROP TCP 127.0.0.1 65.222.227.58 21 
> 2630 40 A 1686805847 2673868801 16616 - - -
> 2002-07-09 16:40:38 DROP TCP 127.0.0.1 65.222.227.193 
> 21 47099 40 A 1705561276 1971650561 16616 - - -
> 2002-07-09 16:41:34 DROP TCP 127.0.0.1 65.222.227.255 
> 21 12541 40 A 1719788892 3247374337 16616 - - -
> 2002-07-09 16:43:39 DROP TCP 127.0.0.1 65.222.227.1 21 
> 20892 40 A 1750849323 4029939713 16616 - - -
> 2002-07-09 16:44:28 DROP TCP 127.0.0.1 65.222.227.58 21 
> 56619 40 A 1763300043 62849025 16616 - - -
> 2002-07-09 16:45:45 DROP TCP 127.0.0.1 65.222.227.193 
> 21 53663 40 A 1782386724 3809280001 16616 - - -
> 2002-07-09 16:46:40 DROP TCP 127.0.0.1 65.222.227.255 
> 21 44093 40 A 1796280647 1961426945 16616 - - -
> 2002-07-09 16:48:45 DROP TCP 127.0.0.1 65.222.227.1 21 
> 43060 40 A 1827539914 3206152193 16616 - - -
> 2002-07-09 16:49:35 DROP TCP 127.0.0.1 65.222.227.58 21 
> 40576 40 A 1840015350 2806906881 16616 - - -
> 2002-07-09 16:50:52 DROP TCP 127.0.0.1 65.222.227.193 
> 21 38179 40 A 1859204304 2213150721 16616 - - -
> 2002-07-09 16:51:46 DROP TCP 127.0.0.1 65.222.227.255 
> 21 14921 40 A 1872870200 1129709569 16616 - - -
> 2002-07-09 16:53:51 DROP TCP 127.0.0.1 65.222.227.1 21 
> 31818 40 A 1904111567 1253048321 16616 - - -
> 2002-07-09 16:54:42 DROP TCP 127.0.0.1 65.222.227.58 21 
> 50804 40 A 1916875803 2446655489 16616 - - -
> 2002-07-09 16:55:59 DROP TCP 127.0.0.1 65.222.227.193 
> 21 331 40 A 1936045330 1610153985 16616 - - -
> 2002-07-09 16:56:53 DROP TCP 127.0.0.1 65.222.227.255 
> 21 22664 40 A 1949656360 1375797249 16616 - - -
> 2002-07-09 16:58:58 DROP TCP 127.0.0.1 65.222.227.1 21 
> 53434 40 A 1980967895 720175105 16616 - - -
> 2002-07-09 16:59:48 DROP TCP 127.0.0.1 65.222.227.58 21 
> 16960 40 A 1993475934 622592001 16616 - - -
> 2002-07-09 17:01:06 DROP TCP 127.0.0.1 65.222.227.193 
> 21 30064 40 A 2012899853 3771072513 16616 - - -
> 2002-07-09 17:01:58 DROP TCP 127.0.0.1 65.222.227.255 
> 21 14187 40 A 2025993664 1508900865 16616 - - -
> 2002-07-09 17:04:05 DROP TCP 127.0.0.1 65.222.227.1 21 
> 43269 40 A 2057678046 2351104001 16616 - - -
> 2002-07-09 17:04:55 DROP TCP 127.0.0.1 65.222.227.58 21 
> 62018 40 A 2070227715 157810689 16616 - - -
> 2002-07-09 17:06:12 DROP TCP 127.0.0.1 65.222.227.193 
> 21 60323 40 A 2089456089 2509635585 16616 - - -
> 2002-07-09 17:07:04 DROP TCP 127.0.0.1 65.222.227.255 
> 21 38491 40 A 2102571253 3855876097 16616 - - -
> 2002-07-09 17:09:11 DROP TCP 127.0.0.1 65.222.227.1 21 
> 6494 40 A 2134375022 3345350657 16616 - - -
> 2002-07-09 17:10:02 DROP TCP 127.0.0.1 65.222.227.58 21 
> 25453 40 A 2147059546 226361345 16616 - - -
> 2002-07-09 17:11:18 DROP TCP 127.0.0.1 65.222.227.193 
> 21 1746 40 A 2166074335 1824260097 16616 - - -
> 2002-07-09 17:12:11 DROP TCP 127.0.0.1 65.222.227.255 
> 21 11900 40 A 2179429687 2000224257 16616 - - -
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 16:40:58 PDT