Increase of DOS attacks using TCP src and/or dst of 0

Pete Carah pete at altadena.net
Wed Mar 7 22:13:34 UTC 2012


On 03/07/2012 01:29 PM, Christopher Morrow wrote:
> On Wed, Mar 7, 2012 at 3:45 PM, Matthew Huff <mhuff at ox.com> wrote:
>> Anyone else see a massive increase of scanning/dos with TCP source and/or
>> dst port of 0? We started seeing a massive increase today creating some
>> issue with our firewalls.
> srs/dst of 0 as measured how? (tcpdump? netflow? app logs?)
No, however I am seeing an increase in unsolicited syn-ack packets with
a wider
variety of "from" ports (many 80 still, used to be almost all) but some
22, 113, 4000, 600x,
and high "from" ports with "to" ports of 3072 and 1024, many to ip addrs
that are not
targets of A records, so appear to be indiscriminate scans...

Source IP's all over the place as expected.  Don't know if it is
tcptraceroute in a strange mode,
or OS fingerprinting attempts, or both.  Also don't know if the sources
are spoofs or not (rather hard
to tell...)  Sources don't seem to match up with syn-only packets
either, at least on the same day.

-- Pete
>





More information about the NANOG mailing list