Attack?

Marc Quibell Fri, 06 Oct 2000 07:25:27 -0700
I was debugging with a friend at a client site to check out some unrelated
traffic, and I noticed these strange traffic patterns coming up:

5w1d: IP: s=207.x.x.x (local), d=255.255.255.255 (Serial0/1), len 512, sen
ding broad/multicast
5w1d:     UDP src=520, dst=520
5w1d: IP: s=62.155.241.76 (Serial0/0), d=205.x.x.1 (FastEthernet0/0),
g=205.2
21.15.7, len 48, forward
5w1d:     TCP src=1247, dst=21, seq=2401504737, ack=0, win=8760 SYN
5w1d: IP: s=62.155.241.76 (Serial0/0), d=205.x.x.2(FastEthernet0/0), len 48,
 encapsulation failed
5w1d:     TCP src=1247, dst=21, seq=2401504737, ack=0, win=8760 SYN
5w1d: IP: s=62.155.241.76 (Serial0/0), d=205.x.x.3 (FastEthernet0/0),
g=205.2
21.15.8, len 48, forward
5w1d:     TCP src=1248, dst=21, seq=2401547696, ack=0, win=8760 SYN
5w1d: IP: s=62.155.241.76 (Serial0/0), d=205.x.x.4 (FastEthernet0/0), len
48,
 encapsulation failed
5w1d:     TCP src=1248, dst=21, seq=2401547696, ack=0, win=8760 SYN
5w1d: IP: s=62.155.241.76 (Serial0/0), d=205.x.x.5 (FastEthernet0/0),
g=205.2
21.15.9, len 48, forward
5w1d:     TCP src=1249, dst=21, seq=2401594277, ack=0, win=8760 SYN
5w1d: IP: s=62.155.241.76 (Serial0/0), d=205.x.x.6 (FastEthernet0/0), len
48,
 encapsulation failed
5w1d:     TCP src=1249, dst=21, seq=2401594277, ack=0, win=8760 SYN
5w1d: IP: s=62.155.241.76 (Serial0/0), d=205.x.x.7 (FastEthernet0/0), g=205.
221.15.13, len 48, forward
5w1d:     TCP src=1253, dst=21, seq=2401782294, ack=0, win=8760 SYN
5w1d: IP: s=62.155.241.76 (Serial0/0), d=205.x.x.8 (FastEthernet0/0), len 48
, encapsulation failed
5w1d:     TCP src=1253, dst=21, seq=2401782294, ack=0, win=8760 SYN

Now, what I think I'm seeing here is a TCP syn session request destined for
port 21 (ftp), from a workstation on the internet (incoming on s0/0). It
appears that this is a sort of port scan and someone's trying to crack their
way in? The first entry is a local (normal) entry, then comes in the
intruder at 62.155.241.76, from the internet, trying to establish an FTP
session. The destination IPs it's trying to attach to are actually router
ASYNC peer subinterfaces.

What exactly is the win=8760? I looked where I could on this port and it's
listed as a proxy port number. And what's with the 'encapsulation failed'
errors? Can anyone shed anymore light on this? Thanks..

Marc


**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Attack?

Reply via email to
