[Intrusions] 8.1M hits in minutes w/ this traffic ...

Bill Royds broyds at rogers.com
Mon Oct 11 16:54:26 GMT 2004 

T looks like the user has set it up as a game server for Unreal Tournament. That
would kill a router quick.  Look at the contents of the last packet from TCPdump

-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Don Murdoch
Sent: Sunday, October 10, 2004 3:55 PM
To: intrusions at lists.sans.org
Subject: [Intrusions] 8.1M hits in minutes w/ this traffic ...

<snip> 
 
tcpdump contains: 
10:31:41.784682 217.224.12.176.1694 > Dons.Net.78.134.153: S
830547571:830547571(0) win 64800 <mss 1440,nop,nop,sackOK> (DF) 
0x0000   4500 0030 ec77 4000 7206 66e7 d9e0 0cb0        E..0.w at .r.f..... 
0x0010   XXXX 4e86 069e 0099 3181 2673 0000 0000        .RN.....1.&s.... 
0x0020   7002 fd20 717e 0000 0204 05a0 0101 0402        p...q~.......... 
10:31:41.784720 62.139.185.75.2714 > Dons.Net.78.134.153: S
2232813922:2232813922(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 
0x0000   4500 0030 8271 4000 6e06 c3a7 3e8b b94b        ..K">E..0.q at .n...
<mailto:E..0.q at .n...> >..K 
0x0010   XXXX 4e86 0a9a 0099 8516 0962 0000 0000        .RN........b.... 
0x0020   7002 faf0 27d4 0000 0204 05b4 0101 0402        p...'........... 
10:31:41.785258 83.36.88.227.1157 > Dons.Net.78.134.153: S
3846402506:3846402506(0) win 16384 <mss 1452,nop,nop,sackOK> (DF) 
0x0000   4500 0030 1bce 4000 6b06 791a 5324 58e3        E..0.. at .k.y.S$X. 
0x0010   XXXX 4e86 0485 0099 e543 71ca 0000 0000        .RN......Cq..... 
0x0020   7002 4000 6c1b 0000 0204 05ac 0101 0402        p. at .l........... 
10:31:41.785304 80.39.163.192.1339 > Dons.Net.78.134.153: S
1685437835:1685437835(0) win 16384 <mss 1444,nop,nop,sackOK> (DF) 
0x0000   4500 0030 04ed 4000 6b06 481b 5027 a3c0        E..0.. at .k.H.P'.. 
0x0010   XXXX 4e86 053b 0099 6475 bd8b 0000 0000        .RN..;..du...... 
0x0020   7002 4000 589a 0000 0204 05a4 0101 0402        p. at .X........... 
 
 10:31:43.851288 Dons.Net.78.134.153 > 217.224.12.176.1694: P 182:1251(1069)
ack 63 win 17218 (DF) 
0x0000   4500 0455 a775 4000 7c06 9dc4 XXXX 4e86        E..U.u at .|....RN. 
0x0010   d9e0 0cb0 0099 069e ca6d 1791 3181 26b2        .........m..1.&. 
0x0020   5018 4342 ca67 0000 3a73 4572 5665 522e        P.CB.g..:sErVeR. 
0x0030   4269 5463 486e 4574 2e6f 7267 2030 3031        BiTcHnEt.org.001 
0x0040   2044 4555 7c36 3337 3432 3720 3a57 656c        .DEU|637427.:Wel 
0x0050   636f 6d65 2074 6f20 7468 6520 4269 5463        come.to.the.BiTc 
0x0060   486e 4574 2d4e 6554 774f 7258 2e6f 7267        HnEt-NeTwOrX.org 
0x0070   2049 5243 204e 6574 776f 726b 2044 4555        .IRC.Network.DEU 
0x0080   7c36 3337 3432 3721 7469 646d 7072 4032        |637427!tidmpr at 2 
0x0090   3137 2e32 3234 2e31 322e 3137 360d 0a3a        17.224.12.176..: 
0x00a0   7345 7256 6552 2e42 6954 6348 6e45 742e        sErVeR.BiTcHnEt. 
0x00b0   6f72 6720 3030 3220 4445 557c 3633 3734        org.002.DEU|6374 
0x00c0   3237 203a 596f 7572 2068 6f73 7420 6973        27.:Your.host.is 
0x00d0   2073 4572 5665 522e 4269 5463 486e 4574        .sErVeR.BiTcHnEt 
0x00e0   2e6f 7267 2c20 7275 6e6e 696e 6720 7665        .org,.running.ve 
0x00f0   7273 696f 6e20 556e 7265 616c 332e 320d        rsion.Unreal3.2. 
0x0100   0a3a 7345 7256 6552 2e42 6954 6348 6e45        .:sErVeR.BiTcHnE 
0x0110   742e 6f72 6720 3030 3320 4445 557c 3633        t.org.003.DEU|63 
0x0120   3734 3237 203a 5468 6973 2073 6572 7665        7427.:This.serve 
0x0130   7220 7761 7320 6372 6561 7465 6420 5765        r.was.created.We 
0x0140   6420 4170 7220 3238 2031 383a 3135 3a31        d.Apr.28.18:15:1 
0x0150   3920 3230 3034 0d0a 3a73 4572 5665 522e        9.2004..:sErVeR.

More information about the Intrusions mailing list