Syn flood to TCP port 21 from priveleged port (80)

Emille Blanc emille at abccommunications.com
Tue Nov 1 19:52:56 UTC 2016


Ditto. Same sources; 141.138.128.0/21 and 95.131.184.0/21 (give or take).

Out of 1000 packet sample taken at 12:45:46 PDT (19:45:46 UTC) at boundary, 502 unique sources to 10 destination hosts on our AS.

Obligatory data should this be of use to anyone listening in.

-----Original Message-----
From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Ken Chase
Sent: November-01-16 12:29 PM
To: Oleg A. Arkhangelsky
Cc: nanog at nanog.org
Subject: Re: Syn flood to TCP port 21 from priveleged port (80)

seeing an awful lot of port 80 hitting port 21. (Why would port 80
ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts flickering
on and off as the service throttled itself at a couple client sites I manage.

I see 540 unique source IPs hitting 32 destinations on my network in just 1000
packets dumped on one router. 

All from multiple sequential registered /24s in whois, but all from one
management company:

141.138.128.0/21 and 95.131.184.0/21

role:           William Hill Network Services
abuse-mailbox:  networkservices at williamhill.co.uk
address:        Infrastructure Services 2 City Walk Sweet Street Leeds LS11 9AR

AS49061

course, synfloods can be spoofed... perhaps they're hoping for a retaliation
against WHNS.

/kc

On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said:
  >Hello,
  >
  >A couple of cuts from tcpdump output:
  >
  >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S], seq 1376379765, win 8192, length 0
  >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S], seq 2254756684, win 8192, length 0
  >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags [S], seq 3619475318, win 8192, length 0
  >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: Flags [S], seq 2412690982, win 8192, length 0
  >
  >Does anyone seeing this right now (18:31 UTC)? I see this traffic
  >on at least two completely independent ISPs near Moscow. The
  >rate is about a few dozen PPS hitting all BGP-announced networks.
  >
  >--??
  >wbr, Oleg.
  >
  >"Anarchy is about taking complete responsibility for yourself."
  >?? ?? ?? Alan Moore.

-- 
Ken Chase - math at sizone.org Guelph Canada




More information about the NANOG mailing list