Interesting, I wonder why I'm a magnet to them then :s Thanks for the info Stu -----Original Message----- From: Dave Paris [mailto:dparisat_private] Sent: 23 July 2003 18:28 To: Stuart Cc: incidentsat_private Subject: Re: Port 0 packets Our IDS logged a TCP port 0 packet at 10:00 UTC this morning. It was stopped at the network border and no further port 0 traffic has been seen since. The source address was 216.109.116.224, which I suspect may be spoofed as it reverses to web60001.mail.yahoo.com. Kind Regards, -dsp On Tuesday, Jul 22, 2003, at 20:28 US/Eastern, Stuart wrote: > Hi, > > After currently reviewing firewall logs from ISA server I have come > across a period of where the box was hit with an aprox. average of 3 - > 4 > packets per 5 minute period for 8 hours. After looking up information > from dshield.org > http://isc.incidents.org/port_details.html?port=0 > > I have found that these packets can cause DoS on certain devices and > OS'. The effect of the packets had no effect on the box itself but the > packets were originating from 2 different hosts so I would assume this > will fall in the category of DDoS? > I first noticed these packets in the logs on the 21st from 11:20 GMT to > 22nd 7:20 GMT and they have just started again (22nd 17:40 GMT) and > are > continuing. > > Has anyone else received such packets? Or know if there is a > Trojan/worm > that these packets are sent from? > > Thanks for your help > > Stu > > > ----------------------------------------------------------------------- > ---- > ----------------------------------------------------------------------- > ----- > > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 24 2003 - 11:21:59 PDT