[Intrusions] Source port 0 plus the source addr 0.x.x.x ???
Smith, Donald
Donald.Smith at qwest.com
Sun Jun 12 15:39:50 GMT 2005
Just a guess but a "broken" spoof local domin src addresses flooder?
If it tried to read the ip address from the registry but got it wrong it might have a 0 where the local first octet was supposed to go.
Spoofing from the local network makes sense for many reasons:)
donald.smith at qwest.com giac
-----Original Message-----
From: intrusions-bounces at lists.sans.org on behalf of kurt
Sent: Fri 6/10/2005 7:40 AM
To: intrusions at lists.sans.org
Subject: [Intrusions] Source port 0 plus the source addr 0.x.x.x ???
We had outbound traffic that had a source port of 0 but the spoofed
source address was random from a 0 'network'. The sensor picked it up
as having a port 0, but it's the 0 network that is even more odd.
13:00:22 [E] 0.104.124.6 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
The detection is from a Dragon sensor log detecting traffic spanned on
an internal switch. We tracked the source and took the Windows PC off
the network. The PC will be shipped to us from our remote office but
in the mean time does anyone recognize this traffic? I'm curious
about the spoofed source addresses, 0.x.x.x. They appear random,
other then the first octet being 0, but this PC was able to choke an internal
router with 50MB of traffic
BTW, our firewall dropped the outbound traffic so it never reached the
destination, 212.25.182.18
12:56:59 [E] 0.200.156.2 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:00 [E] 0.40.187.3 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:05 [E] 0.136.61.7 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:15 [E] 0.168.199.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:17 [E] 0.240.6.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:18 [E] 0.128.149.3 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:20 [E] 0.240.212.3 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:21 [E] 0.184.191.7 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:22 [E] 0.64.236.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:23 [E] 0.224.185.5 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:23 [E] 0.184.234.5 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:25 [E] 0.32.43.4 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:25 [E] 0.152.46.4 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:26 [E] 0.224.241.7 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:27 [E] 0.128.36.3 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:30 [E] 0.192.130.7 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:39 [E] 0.184.83.5 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:45 [E] 0.224.190.4 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:51 [E] 0.208.125.1 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:51 [E] 0.176.228.1 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:56 [E] 0.144.16.3 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:57:57 [E] 0.24.144.6 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:58:22 [E] 0.248.18.5 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:58:22 [E] 0.176.207.5 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:58:23 [E] 0.88.93.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:58:25 [E] 0.136.43.2 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:58:32 [E] 0.0.29.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:58:32 [E] 0.136.127.1 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:58:37 [E] 0.80.26.4 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:58:37 [E] 0.144.76.4 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:58:39 [E] 0.224.123.2 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:58:43 [E] 0.144.34.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:58:46 [E] 0.208.226.4 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:58:48 [E] 0.168.83.1 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:58:52 [E] 0.88.154.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:58:53 [E] 0.168.27.4 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:58:55 [E] 0.128.113.2 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:58:55 [E] 0.224.181.4 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:58:57 [E] 0.200.223.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:59:01 [E] 0.224.114.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:59:57 [E] 0.56.92.5 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
12:59:58 [E] 0.152.191.2 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:00:03 [E] 0.24.225.4 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:00:12 [E] 0.96.190.2 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:00:21 [E] 0.112.238.1 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:00:21 [E] 0.48.108.3 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:00:22 [E] 0.104.124.6 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:00:25 [E] 0.168.217.2 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:00:27 [E] 0.136.196.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:00:27 [E] 0.0.237.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:00:31 [E] 0.224.103.6 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:00:49 [E] 0.152.243.7 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:10 [E] 0.64.216.1 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:12 [E] 0.112.125.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:16 [E] 0.88.193.4 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:18 [E] 0.24.154.3 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:25 [E] 0.248.74.7 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:25 [E] 0.144.83.7 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:27 [E] 0.128.73.5 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:29 [E] 0.240.9.3 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:32 [E] 0.160.39.6 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:35 [E] 0.240.149.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:36 [E] 0.56.199.3 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:36 [E] 0.112.159.5 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:42 [E] 0.128.27.2 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:54 [E] 0.136.31.4 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:57 [E] 0.32.166.7 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:58 [E] 0.72.163.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:58 [E] 0.48.178.1 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:59 [E] 0.0.206.4 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:01:59 [E] 0.208.61.7 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:02:04 [E] 0.176.241.6 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:02:04 [E] 0.96.16.1 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:02:06 [E] 0.96.0.7 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:02:09 [E] 0.96.16.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:02:13 [E] 0.232.156.5 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:02:17 [E] 0.176.123.4 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:02:22 [E] 0.64.173.6 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:02:23 [E] 0.48.105.1 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:02:23 [E] 0.80.160.3 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:02:23 [E] 0.8.247.3 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:02:33 [E] 0.208.19.7 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:02:42 [E] 0.152.200.6 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:02:59 [E] 0.40.233.2 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:03:03 [E] 0.104.150.1 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:04:08 [E] 0.96.109.6 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:04:08 [E] 0.120.111.6 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:04:31 [E] 0.184.207.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:04:38 [E] 0.248.126.7 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:04:38 [E] 0.24.226.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:04:40 [E] 0.80.206.5 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:04:41 [E] 0.88.251.0 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:04:42 [E] 0.80.11.7 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:04:43 [E] 0.0.64.3 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:04:45 [E] 0.40.49.7 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:04:46 [E] 0.208.61.4 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:04:48 [E] 0.160.227.1 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:04:50 [E] 0.0.242.3 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:04:56 [E] 0.64.63.7 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
13:04:59 [E] 0.104.228.1 212.25.182.18 [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
100 LINE MAXIMUM
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list