On Wed, 2003-07-23 at 12:28, Stuart wrote: > Hi, > > After currently reviewing firewall logs from ISA server I have come > across a period of where the box was hit with an aprox. average of 3 - 4 > packets per 5 minute period for 8 hours. Over the last few day sort has been complaining about packets on TCP 0 to an address in our network. I finally got to investigate it yesterday. The packets were coming from two IP addresses in China and were tcp with RST+ACK flags set. I then used our argus <www.qosient.com> logs to examine all the traffic between the addresses. It turned out that that there was a flood of incoming packets with random source and destination ports. So snort was triggering on a tiny proportion of the total packets. I concluded that this was fallout from a DOS attack on the two Chinese machines in which our address had been spoofed. Give the frequency of your packets and the likelihood that you would have noticed if there was other traffic from the source this probably is not the same scenario. One thing that would help us work out possible causes is some more details about the packets -- TCP or UDP, flags etc. -- Russell Fulton, Network Security Officer, The University of Auckland, New Zealand. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 24 2003 - 11:31:54 PDT