Re: Port 0 packets

From: Dave Paris (dparisat_private)
Date: Thu Jul 24 2003 - 13:04:49 PDT

Next message: Jason Falciola: "Re: www.google.com reference in directory-traversal attack"

Previous message: Richard Johnson: "Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
In reply to: Russell Fulton: "Re: Port 0 packets"
Next in thread: Andreas Östling: "Re: Port 0 packets"
Next in thread: Dave Paris: "Re: Port 0 packets"
Reply: Andreas Östling: "Re: Port 0 packets"
Reply: Toby Miller: "RE: Port 0 packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Our IDS spotted another TCP port 0 packet at 19:59pm UTC today  
(Thursday).  Headers follow:

[**] (snort_decoder): T/TCP Detected [**]
07/24-19:59:51.308749 216.136.173.246:0 -> xxx.xxx.xxx.xxx:0
TCP TTL:55 TOS:0x0 ID:41202 IpLen:20 DgmLen:68 DF
******S* Seq: 0x73C13DA0  Ack: 0x0  Win: 0xFFFF  TcpLen: 48
TCP Options (9) => MSS: 1460 NOP WS: 1 NOP NOP TS: 15026415 0
TCP Options => NOP NOP CCNEW: 248555

Kind Regards,
-dsp

On Wednesday, Jul 23, 2003, at 16:38 US/Eastern, Russell Fulton wrote:

> On Wed, 2003-07-23 at 12:28, Stuart wrote:
>> Hi,
>>
>> After currently reviewing firewall logs from ISA server I have come
>> across a period of where the box was hit with an aprox. average of 3  
>> - 4
>> packets per 5 minute period for 8 hours.
>
> Over the last few day sort has been complaining about packets on TCP 0
> to an address in our network. I finally got to investigate it  
> yesterday.
>
> The packets were coming from two IP addresses in China and were tcp  
> with
> RST+ACK flags set. I then used our argus <www.qosient.com> logs to
> examine all the traffic between the addresses.  It turned out that that
> there was a flood of incoming packets with random source and  
> destination
> ports.  So snort was triggering on a tiny proportion of the total
> packets.
>
> I concluded that this was fallout from a DOS attack on the two Chinese
> machines in which our address had been spoofed.
>
> Give the frequency of your packets and the likelihood that you would
> have noticed if there was other traffic from the source this probably  
> is
> not the same scenario.  One thing that would help us work out possible
> causes is some more details about the packets -- TCP or UDP, flags etc.
>
> --  
> Russell Fulton, Network Security Officer, The University of Auckland,
> New Zealand.
>
>
> ----------------------------------------------------------------------- 
> ----
> ----------------------------------------------------------------------- 
> -----
>
>
>


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Jason Falciola: "Re: www.google.com reference in directory-traversal attack"
Previous message: Richard Johnson: "Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
In reply to: Russell Fulton: "Re: Port 0 packets"
Next in thread: Andreas Östling: "Re: Port 0 packets"
Next in thread: Dave Paris: "Re: Port 0 packets"
Reply: Andreas Östling: "Re: Port 0 packets"
Reply: Toby Miller: "RE: Port 0 packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 25 2003 - 10:42:46 PDT