On 03/07/2012 01:29 PM, Christopher Morrow wrote: > On Wed, Mar 7, 2012 at 3:45 PM, Matthew Huff <mh...@ox.com> wrote: >> Anyone else see a massive increase of scanning/dos with TCP source and/or >> dst port of 0? We started seeing a massive increase today creating some >> issue with our firewalls. > srs/dst of 0 as measured how? (tcpdump? netflow? app logs?) No, however I am seeing an increase in unsolicited syn-ack packets with a wider variety of "from" ports (many 80 still, used to be almost all) but some 22, 113, 4000, 600x, and high "from" ports with "to" ports of 3072 and 1024, many to ip addrs that are not targets of A records, so appear to be indiscriminate scans...
Source IP's all over the place as expected. Don't know if it is tcptraceroute in a strange mode, or OS fingerprinting attempts, or both. Also don't know if the sources are spoofs or not (rather hard to tell...) Sources don't seem to match up with syn-only packets either, at least on the same day. -- Pete >
