OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: TCP connections to port 1024 - DDoS?
From: Abe Getchell (agetchelKDE.STATE.KY.US)
Date: Mon Oct 23 2000 - 13:58:25 CDT


Hi Jason,
        Care to share the source IP addresses? Hopefully there is a common
batch of addresses we are seeing this from. We got hammered this weekend;
there were over 100,000 connections attempted. The IP addresses didn't
reverse resolve to any domain names and an IP whois search didn't tell me
who they belonged too. Knowing that there are more folks who are seeing
this doesn't make me feel very good...

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice 502-564-2020x225
E-mail agetchelkde.state.ky.us
Web http://www.kde.state.ky.us/

> -----Original Message-----
> From: Turpin, Jason [mailto:jturpinchematch.com]
> Sent: Monday, October 23, 2000 2:23 PM
> To: 'agetchelKDE.STATE.KY.US'; INCIDENTSSECURITYFOCUS.COM
> Subject: RE: TCP connections to port 1024 - DDoS?
>
>
> I am seeing the same thing the last couple of days. It comes
> from about 100
> ip's and targets my Mail Servers on port 1024. There are
> approximately 254
> attempts in less than 10 seconds from these 100 ip's
>
> -----Original Message-----
> From: Abe Getchell [mailto:agetchelKDE.STATE.KY.US]
> Sent: Monday, October 23, 2000 9:13 AM
> To: INCIDENTSSECURITYFOCUS.COM
> Subject: TCP connections to port 1024 - DDoS?
>
>
> Hey all,
> Has anybody seen some kind of odd DDoS attack in which
> a number of
> zombie machines try and open TCP connections to port 1024 on
> the target
> machine? Saw some of these coming in over the last week and
> this weekend,
> and I wanted to see if this is anything that I should be
> concerned about.
> There hasn't been enough traffic to kill the server or clog
> any pipes, but
> I'm concerned that there could be eventually... or that
> there's something
> else going on here that I'm not aware of! =O
>
> Thanks,
> Abe
>
> Abe L. Getchell - Security Engineer
> Division of System Support Services
> Kentucky Department of Education
> Voice 502-564-2020x225
> E-mail agetchelkde.state.ky.us
> Web http://www.kde.state.ky.us/
>