[150911] in North American Network Operators' Group
Re: Increase of DOS attacks using TCP src and/or dst of 0
daemon@ATHENA.MIT.EDU (Pete Carah)
Wed Mar 7 17:14:32 2012
Date: Wed, 07 Mar 2012 14:13:34 -0800
From: Pete Carah <pete@altadena.net>
To: nanog@nanog.org
In-Reply-To: <CAL9jLaZxYptkukCQC3-CMNEQb0AKdAngJ-M+O32jvo-59wPFtA@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 03/07/2012 01:29 PM, Christopher Morrow wrote:
> On Wed, Mar 7, 2012 at 3:45 PM, Matthew Huff <mhuff@ox.com> wrote:
>> Anyone else see a massive increase of scanning/dos with TCP source and/or
>> dst port of 0? We started seeing a massive increase today creating some
>> issue with our firewalls.
> srs/dst of 0 as measured how? (tcpdump? netflow? app logs?)
No, however I am seeing an increase in unsolicited syn-ack packets with
a wider
variety of "from" ports (many 80 still, used to be almost all) but some
22, 113, 4000, 600x,
and high "from" ports with "to" ports of 3072 and 1024, many to ip addrs
that are not
targets of A records, so appear to be indiscriminate scans...
Source IP's all over the place as expected. Don't know if it is
tcptraceroute in a strange mode,
or OS fingerprinting attempts, or both. Also don't know if the sources
are spoofs or not (rather hard
to tell...) Sources don't seem to match up with syn-only packets
either, at least on the same day.
-- Pete
>
