Syn flood to TCP port 21 from priveleged port (80)

• Previous message (by thread): Syn flood to TCP port 21 from priveleged port (80)
• Next message (by thread): Syn flood to TCP port 21 from priveleged port (80)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I think Ken has nailed it. I think the source addresses are spoofed so you reflect the connection (tcp syn ack) to those source addresses. Get enough of those connections and the server is dead. 

Since your port 21 is open

telnet 109.72.248.114 21
Trying 109.72.248.114...
Connected to 109.72.248.114.
Escape character is '^]'.

Your address was probably scanned and saw it could be used in the attack.

Regards
--
Donovan Van Dyk

SOC Network Engineer

Office: +1.954.620.6002 x911

Fort Lauderdale, FL USA




The information contained in this electronic mail transmission and its attachments may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient (or an individual responsible for delivery of the message to such person), you are strictly prohibited from copying, disseminating or distributing this communication. If you have received this communication in error, please notify the sender immediately and destroy all electronic, paper or other versions.
 

On 11/1/16, 3:29 PM, "Ken Chase" <math at sizone.org> wrote:

    seeing an awful lot of port 80 hitting port 21. (Why would port 80
    ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts flickering
    on and off as the service throttled itself at a couple client sites I manage.
    
    I see 540 unique source IPs hitting 32 destinations on my network in just 1000
    packets dumped on one router. 
    
    All from multiple sequential registered /24s in whois, but all from one
    management company:
    
    141.138.128.0/21 and 95.131.184.0/21
    
    role:           William Hill Network Services
    abuse-mailbox:  networkservices at williamhill.co.uk
    address:        Infrastructure Services 2 City Walk Sweet Street Leeds LS11 9AR
    
    AS49061
    
    course, synfloods can be spoofed... perhaps they're hoping for a retaliation
    against WHNS.
    
    /kc
    
    On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said:
      >Hello,
      >
      >A couple of cuts from tcpdump output:
      >
      >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S], seq 1376379765, win 8192, length 0
      >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S], seq 2254756684, win 8192, length 0
      >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags [S], seq 3619475318, win 8192, length 0
      >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: Flags [S], seq 2412690982, win 8192, length 0
      >
      >Does anyone seeing this right now (18:31 UTC)? I see this traffic
      >on at least two completely independent ISPs near Moscow. The
      >rate is about a few dozen PPS hitting all BGP-announced networks.
      >
      >--??
      >wbr, Oleg.
      >
      >"Anarchy is about taking complete responsibility for yourself."
      >?? ?? ?? Alan Moore.
    
    -- 
    Ken Chase - math at sizone.org Guelph Canada
    

• Previous message (by thread): Syn flood to TCP port 21 from priveleged port (80)
• Next message (by thread): Syn flood to TCP port 21 from priveleged port (80)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]