nanog mailing list archives
Re: Increase of DOS attacks using TCP src and/or dst of 0
From: Pete Carah <pete () altadena net>
Date: Wed, 07 Mar 2012 14:13:34 -0800
On 03/07/2012 01:29 PM, Christopher Morrow wrote:
On Wed, Mar 7, 2012 at 3:45 PM, Matthew Huff <mhuff () ox com> wrote:Anyone else see a massive increase of scanning/dos with TCP source and/or dst port of 0? We started seeing a massive increase today creating some issue with our firewalls.srs/dst of 0 as measured how? (tcpdump? netflow? app logs?)
No, however I am seeing an increase in unsolicited syn-ack packets with a wider variety of "from" ports (many 80 still, used to be almost all) but some 22, 113, 4000, 600x, and high "from" ports with "to" ports of 3072 and 1024, many to ip addrs that are not targets of A records, so appear to be indiscriminate scans... Source IP's all over the place as expected. Don't know if it is tcptraceroute in a strange mode, or OS fingerprinting attempts, or both. Also don't know if the sources are spoofs or not (rather hard to tell...) Sources don't seem to match up with syn-only packets either, at least on the same day. -- Pete
Current thread:
- Increase of DOS attacks using TCP src and/or dst of 0 Matthew Huff (Mar 07)
- Re: Increase of DOS attacks using TCP src and/or dst of 0 Mike Gatti (Mar 07)
- Re: Increase of DOS attacks using TCP src and/or dst of 0 Christopher Morrow (Mar 07)
- Re: Increase of DOS attacks using TCP src and/or dst of 0 Pete Carah (Mar 07)
- Re: Increase of DOS attacks using TCP src and/or dst of 0 Chris Stone (Mar 07)
- Re: Increase of DOS attacks using TCP src and/or dst of 0 George Herbert (Mar 07)