[Dshield] Source Port 7000

Joel Esler eslerj at gmail.com
Sat Apr 22 01:38:12 GMT 2006


Someone is doing a DOS of an IRC server in china (or several) on port  
7000, they are spoofing your IP's, and therefore, when the response  
comes back to your actual addresses, you are seeing the results.

??

J
On Apr 21, 2006, at 5:55 PM, Valdis.Kletnieks at vt.edu wrote:

> On Fri, 21 Apr 2006 13:47:14 EDT, "Jon R. Kibler" said:
>
>> Apr 16 02:47:09 border6837 list 110 denied tcp 218.66.104.175 
>> (7000) -> x.x.60.42(12914), 1 packet
>
> Do you happen to have a tcpdump or other capture of the problematic  
> packets? It
> would be very helpful to see what the TCP flag bits, in particular,  
> are set to.
> The diagnosis of this is *very* different if you're getting back SYN 
> +ACK packets
> versus SYN versus RST/FIN/etc...
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your  
> own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http:// 
> www.dshield.org/mailman/listinfo/list



More information about the list mailing list