Syn flood to TCP port 21 from priveleged port (80)

Selphie Keller selphie.keller at gmail.com
Tue Nov 1 20:40:19 UTC 2016


yeah it looks like the person behind the flood may have scanned for active
ftp servers, not seeing any activity on other observation subnets of this
flood, and so far the only servers showing this port 80 to port 21 is ones
that do have actual ftp servers, however, the connection is not actually
establishing it's only showing SYN incoming and a SYN-ACK outgoing and
never gets a completed 3way handshake, so it could be a very odd reflected
syn-ack flood against possible web servers origin ip addresses.

On 1 November 2016 at 14:28, Emille Blanc <emille at abccommunications.com>
wrote:

> > Does the synflood have tcp option headers?
>
>
>
> Not seeing any here. From this morning.
>
>
>
> 12:45:46.180665 194.73.173.17.80 > 216.57.181.189.21: S [tcp sum ok]
> 1158156467:1158156467(0) win 8192 (DF) (ttl 60, id 18499, len 40)
>
> 12:45:46.180667 194.73.173.17.80 > 216.57.181.189.21: S [tcp sum ok]
> 1158156467:1158156467(0) win 8192 (DF) (ttl 60, id 18499, len 40)
>
> 12:45:46.284617 141.138.128.137.80 > 216.57.182.18.21: S [tcp sum ok]
> 2595766696:2595766696(0) win 8192 (DF) (ttl 69, id 6478, len 40)
>
>
>
> *From:* Selphie Keller [mailto:selphie.keller at gmail.com]
> *Sent:* November-01-16 1:13 PM
> *To:* Emille Blanc
> *Cc:* Ken Chase; Oleg A. Arkhangelsky; nanog at nanog.org
>
> *Subject:* Re: Syn flood to TCP port 21 from priveleged port (80)
>
>
>
> Does the synflood have tcp option headers?
>
>
>
> I am seeing this same activity at our forward observation system, however
> it's not showing any tcp options like mss,sack,timestamps etc, was curious
> if others were seeing the same
>
>
>
> [root at oakridge-intercept(~)]> tcpdump -nn -i eth0 'tcp and (tcp[13] ==
> 2)'
>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>
> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>
>
>
> 13:09:32.772506 IP 95.131.190.214.80 > 67.220.207.169.21: Flags [S], seq
> 3599006989, win 8192, length 0
>
> 13:09:32.809446 IP 95.131.185.150.80 > 67.220.207.169.21: Flags [S], seq
> 2409909072, win 8192, length 0
>
> 13:09:33.306737 IP 141.138.133.161.80 > 67.220.207.169.21: Flags [S], seq
> 1006681302, win 8192, length 0
>
> 13:09:33.946427 IP 141.138.134.193.80 > 67.220.207.170.21: Flags [S], seq
> 3627295948, win 8192, length 0
>
> 13:09:33.946469 IP 141.138.134.193.80 > 67.220.207.170.21: Flags [S], seq
> 3627295948, win 8192, length 0
>
> 13:09:34.263905 IP 194.73.173.103.80 > 67.220.207.170.21: Flags [S], seq
> 3818041920, win 8192, length 0
>
> 13:09:34.415558 IP 194.73.173.243.80 > 67.220.207.169.21: Flags [S], seq
> 3584410928, win 8192, length 0
>
>
>
>
>
>
>
>
>
> On 1 November 2016 at 13:52, Emille Blanc <emille at abccommunications.com>
> wrote:
>
> Ditto. Same sources; 141.138.128.0/21 and 95.131.184.0/21 (give or take).
>
> Out of 1000 packet sample taken at 12:45:46 PDT (19:45:46 UTC) at
> boundary, 502 unique sources to 10 destination hosts on our AS.
>
> Obligatory data should this be of use to anyone listening in.
>
>
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Ken Chase
> Sent: November-01-16 12:29 PM
> To: Oleg A. Arkhangelsky
> Cc: nanog at nanog.org
> Subject: Re: Syn flood to TCP port 21 from priveleged port (80)
>
> seeing an awful lot of port 80 hitting port 21. (Why would port 80
> ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts
> flickering
> on and off as the service throttled itself at a couple client sites I
> manage.
>
> I see 540 unique source IPs hitting 32 destinations on my network in just
> 1000
> packets dumped on one router.
>
> All from multiple sequential registered /24s in whois, but all from one
> management company:
>
> 141.138.128.0/21 and 95.131.184.0/21
>
> role:           William Hill Network Services
> abuse-mailbox:  networkservices at williamhill.co.uk
> address:        Infrastructure Services 2 City Walk Sweet Street Leeds
> LS11 9AR
>
> AS49061
>
> course, synfloods can be spoofed... perhaps they're hoping for a
> retaliation
> against WHNS.
>
> /kc
>
> On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said:
>   >Hello,
>   >
>   >A couple of cuts from tcpdump output:
>   >
>   >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S],
> seq 1376379765, win 8192, length 0
>   >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S],
> seq 2254756684, win 8192, length 0
>   >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags [S],
> seq 3619475318, win 8192, length 0
>   >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: Flags [S], seq
> 2412690982, win 8192, length 0
>   >
>   >Does anyone seeing this right now (18:31 UTC)? I see this traffic
>   >on at least two completely independent ISPs near Moscow. The
>   >rate is about a few dozen PPS hitting all BGP-announced networks.
>   >
>   >--??
>   >wbr, Oleg.
>   >
>   >"Anarchy is about taking complete responsibility for yourself."
>   >?? ?? ?? Alan Moore.
>
> --
> Ken Chase - math at sizone.org Guelph Canada
>
>
>



More information about the NANOG mailing list