Security Incidents mailing list archives
Re: client's TCP port 256 hammered by several hosts- solved!!
From: gerry <gerry () tituspcservice com>
Date: 10 Nov 2003 16:21:59 -0000
In-Reply-To: <20031107182045.3029.qmail () sf-www1-symnsj securityfocus com> thanks to the suggestions and help of this mailing list (esp. Chris B.), we have solved the mystery of the excess traffic. using netcat (to listen for a connection to port 256) and fport (to identify sender's application), we found Norton CE (server and clients) to be looking for a non-existant quarantine server. we've had norton for over three years and why the application suddenly started sending excessive traffic is unknown. thanks again everyone for responding. gerry
Received: (qmail 22288 invoked from network); 7 Nov 2003 22:28:53 -0000 Received: from outgoing2.securityfocus.com (205.206.231.26) by mail.securityfocus.com with SMTP; 7 Nov 2003 22:28:53 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing2.securityfocus.com (Postfix) with QMQP id 230108FF3A; Fri, 7 Nov 2003 09:36:30 -0700 (MST) Mailing-List: contact incidents-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <incidents.list-id.securityfocus.com> List-Post: <mailto:incidents () securityfocus com> List-Help: <mailto:incidents-help () securityfocus com> List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com> List-Subscribe: <mailto:incidents-subscribe () securityfocus com> Delivered-To: mailing list incidents () securityfocus com Delivered-To: moderator for incidents () securityfocus com Received: (qmail 1416 invoked from network); 7 Nov 2003 12:12:00 -0000 Date: 7 Nov 2003 18:20:45 -0000 Message-ID: <20031107182045.3029.qmail () sf-www1-symnsj securityfocus com> Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) From: gerry <gerry () tituspcservice com> To: incidents () securityfocus com Subject: client's TCP port 256 hammered by several hosts suddenly, one of our lan client (win2k novell client) machine's tpc port 256 is being flooded with packets from other lan pcs and our netware (5.1) server. anyone have an idea what would cause this or, better yet, how to eliminate all the excess traffic. 11/04-08:31:14.843754 192.168.x.x:2056 -> 192.168.x.x:256 TCP TTL:128 TOS:0x0 ID:10634 IpLen:20 DgmLen:48 DF ******S* Seq: 0x1E6E9152 Ack: 0x0 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/04-08:31:14.843779 192.168.x.x:256 -> 192.168.x.x:2056 TCP TTL:128 TOS:0x0 ID:62405 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x1E6E9153 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/04-08:31:15.344013 192.168.x.x:2056 -> 192.168.x.x:256 TCP TTL:128 TOS:0x0 ID:11146 IpLen:20 DgmLen:48 DF ******S* Seq: 0x1E6E9152 Ack: 0x0 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ thanks in advance, g --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- Re: client's TCP port 256 hammered by several hosts- solved!! gerry (Nov 10)