Syn flood to TCP port 21 from priveleged port (80)
Selphie Keller
selphie.keller at gmail.com
Tue Nov 1 20:13:12 UTC 2016
Does the synflood have tcp option headers?
I am seeing this same activity at our forward observation system, however
it's not showing any tcp options like mss,sack,timestamps etc, was curious
if others were seeing the same
[root at oakridge-intercept(~)]> tcpdump -nn -i eth0 'tcp and (tcp[13] == 2)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:09:32.772506 IP 95.131.190.214.80 > 67.220.207.169.21: Flags [S], seq
3599006989, win 8192, length 0
13:09:32.809446 IP 95.131.185.150.80 > 67.220.207.169.21: Flags [S], seq
2409909072, win 8192, length 0
13:09:33.306737 IP 141.138.133.161.80 > 67.220.207.169.21: Flags [S], seq
1006681302, win 8192, length 0
13:09:33.946427 IP 141.138.134.193.80 > 67.220.207.170.21: Flags [S], seq
3627295948, win 8192, length 0
13:09:33.946469 IP 141.138.134.193.80 > 67.220.207.170.21: Flags [S], seq
3627295948, win 8192, length 0
13:09:34.263905 IP 194.73.173.103.80 > 67.220.207.170.21: Flags [S], seq
3818041920, win 8192, length 0
13:09:34.415558 IP 194.73.173.243.80 > 67.220.207.169.21: Flags [S], seq
3584410928, win 8192, length 0
On 1 November 2016 at 13:52, Emille Blanc <emille at abccommunications.com>
wrote:
> Ditto. Same sources; 141.138.128.0/21 and 95.131.184.0/21 (give or take).
>
> Out of 1000 packet sample taken at 12:45:46 PDT (19:45:46 UTC) at
> boundary, 502 unique sources to 10 destination hosts on our AS.
>
> Obligatory data should this be of use to anyone listening in.
>
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Ken Chase
> Sent: November-01-16 12:29 PM
> To: Oleg A. Arkhangelsky
> Cc: nanog at nanog.org
> Subject: Re: Syn flood to TCP port 21 from priveleged port (80)
>
> seeing an awful lot of port 80 hitting port 21. (Why would port 80
> ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts
> flickering
> on and off as the service throttled itself at a couple client sites I
> manage.
>
> I see 540 unique source IPs hitting 32 destinations on my network in just
> 1000
> packets dumped on one router.
>
> All from multiple sequential registered /24s in whois, but all from one
> management company:
>
> 141.138.128.0/21 and 95.131.184.0/21
>
> role: William Hill Network Services
> abuse-mailbox: networkservices at williamhill.co.uk
> address: Infrastructure Services 2 City Walk Sweet Street Leeds
> LS11 9AR
>
> AS49061
>
> course, synfloods can be spoofed... perhaps they're hoping for a
> retaliation
> against WHNS.
>
> /kc
>
> On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said:
> >Hello,
> >
> >A couple of cuts from tcpdump output:
> >
> >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S],
> seq 1376379765, win 8192, length 0
> >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S],
> seq 2254756684, win 8192, length 0
> >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags [S],
> seq 3619475318, win 8192, length 0
> >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: Flags [S], seq
> 2412690982, win 8192, length 0
> >
> >Does anyone seeing this right now (18:31 UTC)? I see this traffic
> >on at least two completely independent ISPs near Moscow. The
> >rate is about a few dozen PPS hitting all BGP-announced networks.
> >
> >--??
> >wbr, Oleg.
> >
> >"Anarchy is about taking complete responsibility for yourself."
> >?? ?? ?? Alan Moore.
>
> --
> Ken Chase - math at sizone.org Guelph Canada
>
>
More information about the NANOG
mailing list