Our IDS spotted another TCP port 0 packet at 19:59pm UTC today (Thursday). Headers follow: [**] (snort_decoder): T/TCP Detected [**] 07/24-19:59:51.308749 216.136.173.246:0 -> xxx.xxx.xxx.xxx:0 TCP TTL:55 TOS:0x0 ID:41202 IpLen:20 DgmLen:68 DF ******S* Seq: 0x73C13DA0 Ack: 0x0 Win: 0xFFFF TcpLen: 48 TCP Options (9) => MSS: 1460 NOP WS: 1 NOP NOP TS: 15026415 0 TCP Options => NOP NOP CCNEW: 248555 Kind Regards, -dsp On Wednesday, Jul 23, 2003, at 16:38 US/Eastern, Russell Fulton wrote: > On Wed, 2003-07-23 at 12:28, Stuart wrote: >> Hi, >> >> After currently reviewing firewall logs from ISA server I have come >> across a period of where the box was hit with an aprox. average of 3 >> - 4 >> packets per 5 minute period for 8 hours. > > Over the last few day sort has been complaining about packets on TCP 0 > to an address in our network. I finally got to investigate it > yesterday. > > The packets were coming from two IP addresses in China and were tcp > with > RST+ACK flags set. I then used our argus <www.qosient.com> logs to > examine all the traffic between the addresses. It turned out that that > there was a flood of incoming packets with random source and > destination > ports. So snort was triggering on a tiny proportion of the total > packets. > > I concluded that this was fallout from a DOS attack on the two Chinese > machines in which our address had been spoofed. > > Give the frequency of your packets and the likelihood that you would > have noticed if there was other traffic from the source this probably > is > not the same scenario. One thing that would help us work out possible > causes is some more details about the packets -- TCP or UDP, flags etc. > > -- > Russell Fulton, Network Security Officer, The University of Auckland, > New Zealand. > > > ----------------------------------------------------------------------- > ---- > ----------------------------------------------------------------------- > ----- > > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jul 25 2003 - 10:42:46 PDT