-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I made another capture and received 4 packets from each host and nothing was sent from the box to request such packets. I had been receiving these packets solid for 2 hours before this, this is a short cut out of what it's like. 2003-07-24 20:05:24 81.218.37.193 212.57.230.10 Tcp 51414 0 BLOCKED Dialout 2003-07-24 20:05:27 81.218.37.193 212.57.230.10 Tcp 51414 0 BLOCKED Dialout 2003-07-24 20:05:33 81.218.37.193 212.57.230.10 Tcp 51414 0 BLOCKED Dialout 2003-07-24 20:05:45 81.218.37.193 212.57.230.10 Tcp 51414 0 BLOCKED Dialout 2003-07-24 20:06:51 81.5.171.4 212.57.230.10 Tcp 40679 0 BLOCKED Dialout 2003-07-24 20:06:54 81.5.171.4 212.57.230.10 Tcp 40679 0 BLOCKED Dialout 2003-07-24 20:07:00 81.5.171.4 212.57.230.10 Tcp 40679 0 BLOCKED Dialout 2003-07-24 20:07:12 81.5.171.4 212.57.230.10 Tcp 40679 0 BLOCKED Dialout 2003-07-24 20:16:24 81.218.37.193 212.57.230.10 Tcp 52723 0 BLOCKED Dialout 2003-07-24 20:16:27 81.218.37.193 212.57.230.10 Tcp 52723 0 BLOCKED Dialout 2003-07-24 20:16:33 81.218.37.193 212.57.230.10 Tcp 52723 0 BLOCKED Dialout 2003-07-24 20:16:45 81.218.37.193 212.57.230.10 Tcp 52723 0 BLOCKED Dialout 2003-07-24 20:17:51 81.5.171.4 212.57.230.10 Tcp 41580 0 BLOCKED Dialout 2003-07-24 20:17:53 81.5.171.4 212.57.230.10 Tcp 41580 0 BLOCKED Dialout 2003-07-24 20:17:59 81.5.171.4 212.57.230.10 Tcp 41580 0 BLOCKED Dialout 2003-07-24 20:18:12 81.5.171.4 212.57.230.10 Tcp 41580 0 BLOCKED Dialout 2003-07-24 20:27:24 81.218.37.193 212.57.230.10 Tcp 54026 0 BLOCKED Dialout 2003-07-24 20:27:27 81.218.37.193 212.57.230.10 Tcp 54026 0 BLOCKED Dialout 2003-07-24 20:27:33 81.218.37.193 212.57.230.10 Tcp 54026 0 BLOCKED Dialout 2003-07-24 20:27:45 81.218.37.193 212.57.230.10 Tcp 54026 0 BLOCKED Dialout 2003-07-24 20:27:56 81.5.171.4 212.57.230.10 Tcp 42495 0 BLOCKED Dialout 2003-07-24 20:27:59 81.5.171.4 212.57.230.10 Tcp 42495 0 BLOCKED Dialout 2003-07-24 20:28:05 81.5.171.4 212.57.230.10 Tcp 42495 0 BLOCKED Dialout 2003-07-24 20:28:17 81.5.171.4 212.57.230.10 Tcp 42495 0 BLOCKED Dialout And so on... There was a host that appears from a 217 range but he only comes in every now and again. There's nothing requesting these packets and it's just SYN packets that are being received. It's odd why nobody else is receiving them. I also compared the logs of the firewall logs to the IP filter logs and I still couldn't find anything that was talking at the same time as these packets. Big mystery Thanks for the help Stu - -----Original Message----- From: Salvatore Poliandro [mailto:jelloat_private] Sent: 24 July 2003 23:16 To: Stuart; incidentsat_private Subject: Re: Port 0 packets > Interesting, I wonder why I'm a magnet to them then :s It *could* be that you are a host for them? Did you notice any wierd ack/syn combos on ports you arent running services on when you did your packet capture? How certian are you that your box is not asking for this traffic? Does the box MAC match a MAC that might be attackable to the port 0 DDoS's? Sal -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQIVAwUBPyB0jpMRMj30dWmZAQIlQA/+KDRZDJXI1DnbETn0MCWTMfkFhx1IxwFJ CYTqGLhY19XvsF+UFplWsVz2w1gyAB/Au6o8z4ja30qfXvCMK3Qpkg9396GsIfmB Nl4sGKvuUVqzdsJ2QAu55yOifC1oayoSOPXBYdV87uZDFiD5N8FYMtvn8DW4wtUo /EU0kPsctBOugCVHbvHFVZk00E8QFu2+RwwbNTXzR1a3tEI4uMQLIKRMhB5OJqs3 ldzm5vGe7f3AdHLxEDY8LKusajMUNBokqUTnlhSOEtV8VCVpWghRcH9Mp7bo14ZI hbelX7v6JUtph4P50UpnCMWtlT3qWMTHIyYPeIWOp+CJFLNdKXfzvovFGh0e/sIu Es7Iv7pZP1c8P+N1Z0ooYO3ZZBJjXBoEafd6VMpj/ZKo624m71jNv83zfYW0Bz2/ AjVeFHM5eeJ8QoiwBy2L49wVvrI2w+kuzf6NQerWaVfTrDMR+bEd1zBm+wN2xdeF l60g/Wzr3rz9+AsSh0edI/z5KCLlbS7v43zFg+La0FsQz2GHMT4NkfwTqvtbFCXK 5+Wee3tHr+VylcAh5BKgmXKeEgwR4LVEzL9vtKbs6P6Ep76gZkjbpl5Em5HDj0xC F2VEc+ueM/UgTupD/NVENjMjyVhDcrjndo2Jsf2UGeDseh8mLzGLTGJ880rEeD5K NKI/ZNTLHG0= =gpBt -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jul 25 2003 - 10:24:44 PDT