|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Portnoy, Gary (gportnoy
BELENOSINC.COM)Date: Fri Mar 09 2001 - 15:22:41 CST
Hi there,
For about 30 minutes experienced what I thought was a DoS, but it was very
strange. In that timeframe I received about 19,000 packets, from 7
different hosts: 217.67.238.156, 137.30.57.125, 212.6.212.98, 194.29.192.21,
212.182.30.34, 211.39.129.201, 172.138.190.200. The source port was all
over the range from 2 to ~ 60,000. The destination address was one of five
IPs, and the destination port was 1 of 21 ports, ranging from 1029 to 1978.
What I noticed is that certain destination IP's has certain destination
ports, for example, destination port 1029 would only occur with destination
ip x.y.z.194, destination port 1849 would only occur with destination ip
x.y.z.195, etc. And after 30 minutes this stopped. I haven't seen anything
from those addresses since. Unfortunately I don't have Snort running on
that network, so no network capture is possible. But here is a sample of
the log, time is ETC (GMT -5:00):
Date Time Source Source Port Destination
Destination Port
3/9/01 11:48:18 212.182.30.34 25 x.y.z.196 1233
3/9/01 11:48:18 194.29.192.21 88 x.y.z.196 1233
3/9/01 11:50:29 211.39.129.201 6 x.y.z.195 1364
3/9/01 11:50:29 217.67.238.156 122 x.y.z.195 122
3/9/01 11:50:45 194.29.192.21 174 x.y.z.194 1780
etc
etc
etc.
Any ideas?
Gary Portnoy
Network Administrator
gportnoybelenosinc.com
PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]