[Dshield] Spoofed TCP syn/ack source port 7000

TRushing@hollandco.com TRushing at hollandco.com
Mon Dec 12 18:57:54 GMT 2005


I'm seeing some odd activity on my home DSL that looks like SYN/ACK of 
spoofed TCP packets hitting something suffering a DDOS.

Beginning at Dec 10 23:56:17 (-06:00), I started seeing TCP SYN/ACK at all 
8 public IPs from source port 7000 to source ports between 7001 and 7300. 
I'm only missing 49 of the 300 ports in that range, and there seems to be 
no pattern to the missing ports or to the order that the ports are hit.  I 
have some ports that have been hit more than once.  Scans are from two 
different IP addresses, but it appears likely that it is either the same 
machine got a new dhcp lease, or someone decided to DDOS a different 
machine.  The first set stop at 06:28:46 (-06:00) this morning and then at 
09:21:57 start back up again with a new IP. 

Time between scans vary from 10 seconds between SYN/ACKsto up to 3 minutes 
between scans.  I'm concerned that someone may think my machine is 
participating in a DOS, when it's just that my IP is being spoofed.  I'm 
also curious what they are hitting.  Port 7000 shows little scan activity 
and lists a few trojans as well as afs3-fileserver, but it strikes me as 
an odd port to hit.

I have double-checked that it's not actually a machine on my network 
responsible for this.  I added an outbound rule to block any attempts to 
connect to port 7000 and I listened to packets for a bit.

Both IPs are theplanet.com IPs.  I'm not publishing them now because it 
does appear to me that they are being targetted.

I'm pretty sure there is little else I can do, but wanted to check.


More information about the list mailing list