[Dshield] Spoofed TCP syn/ack source port 7000
TRushing at hollandco.com
Mon Dec 12 18:57:54 GMT 2005
I'm seeing some odd activity on my home DSL that looks like SYN/ACK of
spoofed TCP packets hitting something suffering a DDOS.
Beginning at Dec 10 23:56:17 (-06:00), I started seeing TCP SYN/ACK at all
8 public IPs from source port 7000 to source ports between 7001 and 7300.
I'm only missing 49 of the 300 ports in that range, and there seems to be
no pattern to the missing ports or to the order that the ports are hit. I
have some ports that have been hit more than once. Scans are from two
different IP addresses, but it appears likely that it is either the same
machine got a new dhcp lease, or someone decided to DDOS a different
machine. The first set stop at 06:28:46 (-06:00) this morning and then at
09:21:57 start back up again with a new IP.
Time between scans vary from 10 seconds between SYN/ACKsto up to 3 minutes
between scans. I'm concerned that someone may think my machine is
participating in a DOS, when it's just that my IP is being spoofed. I'm
also curious what they are hitting. Port 7000 shows little scan activity
and lists a few trojans as well as afs3-fileserver, but it strikes me as
an odd port to hit.
I have double-checked that it's not actually a machine on my network
responsible for this. I added an outbound rule to block any attempts to
connect to port 7000 and I listened to packets for a bit.
Both IPs are theplanet.com IPs. I'm not publishing them now because it
does appear to me that they are being targetted.
I'm pretty sure there is little else I can do, but wanted to check.
More information about the list