Re: Increase of DOS attacks using TCP src and/or dst of 0
Out of curiosity - Is it possible it's a command and control network, rather than directly an attack? On Wed, Mar 7, 2012 at 2:41 PM, Chris Stone wrote: > On Wed, Mar 7, 2012 at 1:45 PM, Matthew Huff wrote: >> Anyone else see a massive increase of scanning/dos with TCP source and/or >> dst port of 0? We started seeing a massive increase today creating some >> issue with our firewalls. > > Not seeing a ton of them, but do see a few logged on most all of our > server like: > > Mar 5 07:49:13 server kernel: Shorewall:logflags:DROP:IN=eth2 OUT= > MAC=00:07:e9:0f:39:f1:00:03:31:a5:74:00:08:00 SRC=178.18.16.101 > DST=x.x.x.x LEN=56 TOS=0x00 PREC=0x00 TTL=204 ID=49665 DF PROTO=TCP > SPT=0 DPT=0 WINDOW=37009 RES=0x14 URG ACK RST SYN FIN URGP=37422 > > > > > > -- > Chris Stone > AxisInternet, Inc. > www.axint.net > -- -george william herbert george.herb...@gmail.com
Re: Increase of DOS attacks using TCP src and/or dst of 0
On Wed, Mar 7, 2012 at 1:45 PM, Matthew Huff wrote: > Anyone else see a massive increase of scanning/dos with TCP source and/or > dst port of 0? We started seeing a massive increase today creating some > issue with our firewalls. Not seeing a ton of them, but do see a few logged on most all of our server like: Mar 5 07:49:13 server kernel: Shorewall:logflags:DROP:IN=eth2 OUT= MAC=00:07:e9:0f:39:f1:00:03:31:a5:74:00:08:00 SRC=178.18.16.101 DST=x.x.x.x LEN=56 TOS=0x00 PREC=0x00 TTL=204 ID=49665 DF PROTO=TCP SPT=0 DPT=0 WINDOW=37009 RES=0x14 URG ACK RST SYN FIN URGP=37422 -- Chris Stone AxisInternet, Inc. www.axint.net
Re: Increase of DOS attacks using TCP src and/or dst of 0
On 03/07/2012 01:29 PM, Christopher Morrow wrote: > On Wed, Mar 7, 2012 at 3:45 PM, Matthew Huff wrote: >> Anyone else see a massive increase of scanning/dos with TCP source and/or >> dst port of 0? We started seeing a massive increase today creating some >> issue with our firewalls. > srs/dst of 0 as measured how? (tcpdump? netflow? app logs?) No, however I am seeing an increase in unsolicited syn-ack packets with a wider variety of "from" ports (many 80 still, used to be almost all) but some 22, 113, 4000, 600x, and high "from" ports with "to" ports of 3072 and 1024, many to ip addrs that are not targets of A records, so appear to be indiscriminate scans... Source IP's all over the place as expected. Don't know if it is tcptraceroute in a strange mode, or OS fingerprinting attempts, or both. Also don't know if the sources are spoofs or not (rather hard to tell...) Sources don't seem to match up with syn-only packets either, at least on the same day. -- Pete >
Re: Increase of DOS attacks using TCP src and/or dst of 0
On Wed, Mar 7, 2012 at 3:45 PM, Matthew Huff wrote: > Anyone else see a massive increase of scanning/dos with TCP source and/or > dst port of 0? We started seeing a massive increase today creating some > issue with our firewalls. srs/dst of 0 as measured how? (tcpdump? netflow? app logs?)
Re: Increase of DOS attacks using TCP src and/or dst of 0
I just scanned through the last 48 hours of logs and did not find anything. We are peering with Level3 (AS 3549) and Verizon (AS 11486). -- Michael Gatti main. 949.371.5474 (UTC -8) On Mar 7, 2012, at 12:45 PM, Matthew Huff wrote: > Anyone else see a massive increase of scanning/dos with TCP source and/or > dst port of 0? We started seeing a massive increase today creating some > issue with our firewalls. > > > > > > > > > > Matthew Huff | 1 Manhattanville Rd > > Director of Operations | Purchase, NY 10577 > > OTA Management LLC | Phone: 914-460-4039 > > aim: matthewbhuff| Fax: 914-460-4139 > > >
