[192542] in North American Network Operators' Group
Re: Syn flood to TCP port 21 from priveleged port (80)
daemon@ATHENA.MIT.EDU (Ken Chase)
Tue Nov 1 15:29:12 2016
X-Original-To: nanog@nanog.org
Date: Tue, 1 Nov 2016 15:29:09 -0400
From: Ken Chase <math@sizone.org>
To: "Oleg A. Arkhangelsky" <sysoleg@yandex.ru>
In-Reply-To: <3847611478025863@web35j.yandex.ru>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
seeing an awful lot of port 80 hitting port 21. (Why would port 80
ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts flickering
on and off as the service throttled itself at a couple client sites I manage.
I see 540 unique source IPs hitting 32 destinations on my network in just 1000
packets dumped on one router.
All from multiple sequential registered /24s in whois, but all from one
management company:
141.138.128.0/21 and 95.131.184.0/21
role: William Hill Network Services
abuse-mailbox: networkservices@williamhill.co.uk
address: Infrastructure Services 2 City Walk Sweet Street Leeds LS11 9AR
AS49061
course, synfloods can be spoofed... perhaps they're hoping for a retaliation
against WHNS.
/kc
On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said:
>Hello,
>
>A couple of cuts from tcpdump output:
>
>21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S], seq 1376379765, win 8192, length 0
>21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S], seq 2254756684, win 8192, length 0
>21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags [S], seq 3619475318, win 8192, length 0
>21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: Flags [S], seq 2412690982, win 8192, length 0
>
>Does anyone seeing this right now (18:31 UTC)? I see this traffic
>on at least two completely independent ISPs near Moscow. The
>rate is about a few dozen PPS hitting all BGP-announced networks.
>
>--??
>wbr, Oleg.
>
>"Anarchy is about taking complete responsibility for yourself."
>?? ?? ?? Alan Moore.
--
Ken Chase - math@sizone.org Guelph Canada
