|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Port 0 packets
From: Russell Fulton (r.fulton
auckland.ac.nz)
Date: Wed Jul 23 2003 - 15:38:47 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 2003-07-23 at 12:28, Stuart wrote:
> Hi,
>
> After currently reviewing firewall logs from ISA server I have come
> across a period of where the box was hit with an aprox. average of 3 - 4
> packets per 5 minute period for 8 hours.
Over the last few day sort has been complaining about packets on TCP 0
to an address in our network. I finally got to investigate it yesterday.
The packets were coming from two IP addresses in China and were tcp with
RST+ACK flags set. I then used our argus <www.qosient.com> logs to
examine all the traffic between the addresses. It turned out that that
there was a flood of incoming packets with random source and destination
ports. So snort was triggering on a tiny proportion of the total
packets.
I concluded that this was fallout from a DOS attack on the two Chinese
machines in which our address had been spoofed.
Give the frequency of your packets and the likelihood that you would
have noticed if there was other traffic from the source this probably is
not the same scenario. One thing that would help us work out possible
causes is some more details about the packets -- TCP or UDP, flags etc.
--
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]