[150914] in North American Network Operators' Group
Re: Increase of DOS attacks using TCP src and/or dst of 0
daemon@ATHENA.MIT.EDU (George Herbert)
Wed Mar 7 17:49:03 2012
In-Reply-To: <CA+mO9gHT+JwC1U+Tb268t+hUoxzQ5e+WFKfF+ucyt_hXSc5A_w@mail.gmail.com>
Date: Wed, 7 Mar 2012 14:48:10 -0800
From: George Herbert <george.herbert@gmail.com>
To: Chris Stone <axisml@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Out of curiosity -
Is it possible it's a command and control network, rather than
directly an attack?
On Wed, Mar 7, 2012 at 2:41 PM, Chris Stone <axisml@gmail.com> wrote:
> On Wed, Mar 7, 2012 at 1:45 PM, Matthew Huff <mhuff@ox.com> wrote:
>> Anyone else see a massive increase of scanning/dos with TCP source and/o=
r
>> dst port of 0? We started seeing a massive increase today creating some
>> issue with our firewalls.
>
> Not seeing a ton of them, but do see a few logged on most all of our
> server like:
>
> Mar =A05 07:49:13 server kernel: Shorewall:logflags:DROP:IN=3Deth2 OUT=3D
> MAC=3D00:07:e9:0f:39:f1:00:03:31:a5:74:00:08:00 SRC=3D178.18.16.101
> DST=3Dx.x.x.x LEN=3D56 TOS=3D0x00 PREC=3D0x00 TTL=3D204 ID=3D49665 DF PRO=
TO=3DTCP
> SPT=3D0 DPT=3D0 WINDOW=3D37009 RES=3D0x14 URG ACK RST SYN FIN URGP=3D3742=
2
>
>
>
>
>
> --
> Chris Stone
> AxisInternet, Inc.
> www.axint.net
>
--=20
-george william herbert
george.herbert@gmail.com
