[Dshield] DDOS packet signature?

Frank Knobbe frank at knobbe.us
Wed Aug 10 04:52:37 GMT 2005


On Tue, 2005-08-09 at 21:54 -0500, TRushing at hollandco.com wrote:
> Destination port on my machine was always either 1024 or 3072.  Source 
> ports were 22, 53, 80, 6667 and 6668.

Perhaps someone is performing a scan against a server using spoofed
decoy addresses, yours being one of them. That's why you get the
SYN-ACKs back without having sent one. An alternative might be that
someone is trying to SYN flood an IRC server, again with spoofed IP
address, one of which matches yours.

Since you observed the ports listed above, it's quite possible that your
IP was used in a decoy scan.

Cheers,
Frank

-- 
Ciscogate: Shame on Cisco. Double-Shame on ISS.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20050809/ede1c115/attachment.bin


More information about the list mailing list