[unisog] Interesting traffic

Peter Van Epp vanepp at sfu.ca
Fri Feb 6 16:18:46 GMT 2004


	Yep us too about the same time (and still going on today). Times here
are PST and hitting both our Class B and a variety of Class Cs that we also
own for various things so it looks pretty much shotgun:

Mon 02/02 03:56:55      tcp 202.109.129.203.6667   ?>  142.58.aaa.115.1024  1      0       0         0        RST
Mon 02/02 03:57:13      tcp 202.109.129.203.6667   ?>   142.58.bb.116.3072  1      0       0         0        RST
Mon 02/02 03:57:14      tcp 202.109.129.203.6667   ?>   142.58.ccc.58.1024  1      0       0         0        RST
Mon 02/02 03:57:19      tcp 202.109.129.203.6667   ?>   142.58.ddd.70.1024  1      0       0         0        RST
Mon 02/02 03:57:21      tcp 202.109.129.203.6667   ?>   206.ff.gg.119.3072  1      0       0         0        RST
Mon 02/02 03:57:23      tcp 202.109.129.203.6667   ?>   142.58.eee.84.3072  1      0       0         0        RST
...

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

On Fri, Feb 06, 2004 at 09:29:40AM -0500, Asadoorian, Paul D wrote:
> This traffic started on my network on Feb. 2nd, at 7:00AM EST STD time.
> They all originate from 202.109.129.203, all with a source port of 6667
> TCP, the destination is my entire class B on TCP ports 1024 and 3072.
> All packets are RST/ACK.  Anyone else seeing this IP hitting their
> network?  Looks like someone is spoofing our address space, and I have
> confirmed that at least one other University is seeing this.
> 
> Thanks,
> 
> Paul
> 
> Paul Asadoorian, GCIA
> Brown University
> 115 Waterman St.
> Providence, RI 02912
> 401.863.7553
> 
> PGP Key: http://pauldotcom.com/Paul_Asadoorian.asc
> Fingerprint: 42CB D9A8 37C4 2D1C A2FE  927F C946 9174 41DC 7A4F
> Web: http://www.pauldotcom.com 
> 
> Below are some sample packet captures:
> 
> 08:18:33.311596 202.109.129.203.6667 > MY.SUB.NET.105.3072: R [tcp sum
> ok]
> 0:0(0) ack 1430504790 win 0 (ttl 113, id 65266, len 40)
> 0x0000   4500 0028 fef2 0000 7106 09a7 ca6d 81cb        E..(....q....m..
> 0x0010   8094 7469 1a0b 0c00 0000 0000 5543 c556        ..ti........UC.V
> 0x0020   5014 0000 2df5 0000 0000 0000 0000             P...-.........
> 08:18:47.262891 202.109.129.203.6667 > MY.SUB.NET.120.3072: R [tcp sum
> ok]
> 0:0(0) ack 721129229 win 0 (ttl 113, id 48858, len 40)
> 0x0000   4500 0028 beda 0000 7106 03b0 ca6d 81cb        E..(....q....m..
> 0x0010   8094 ba78 1a0b 0c00 0000 0000 2afb 8f0d        ...x........*...
> 0x0020   5014 0000 4877 0000 0000 0000 0000             P...Hw........
> 08:18:56.304529 202.109.129.203.6667 > MY.SUB.NET.79.3072: R [tcp sum
> ok]
> 0:0(0) ack 1329354305 win 0 (ttl 113, id 32292, len 40)
> 0x0000   4500 0028 7e24 0000 7106 258f ca6d 81cb        E..(~$..q.%..m..
> 0x0010   8094 d94f 1a0b 0c00 0000 0000 4f3c 5641        ...O........O<VA
> 0x0020   5014 0000 3e2b 0000 0000 0000 0000             P...>+........
> 08:19:11.265863 202.109.129.203.6667 > MY.SUB.NET.94.1024: R [tcp sum
> ok]
> 0:0(0) ack 2123187057 win 0 (ttl 113, id 25059, len 40)
> 0x0000   4500 0028 61e3 0000 7106 c4c1 ca6d 81cb        E..(a...q....m..
> 0x0010   8094 565e 1a0b 0400 0000 0000 7e8d 4371        ..V^........~.Cq
> 0x0020   5014 0000 ac9b 0000 0000 0000 0000             P.............
> 08:19:11.475469 202.109.129.203.6667 > MY.SUB.NET.31.1024: R [tcp sum
> ok]
> 0:0(0) ack 878616853 win 0 (ttl 113, id 27716, len 40)
> 0x0000   4500 0028 6c44 0000 7106 359f ca6d 81cb        E..(lD..q.5..m..
> 0x0010   8094 db1f 1a0b 0400 0000 0000 345e a115        ............4^..
> 0x0020   5014 0000 1465 0000 0000 0000 0000             P....e........
> 08:19:12.953427 202.109.129.203.6667 > MY.SUB.NET.48.3072: R [tcp sum
> ok]
> 0:0(0) ack 3339124750 win 0 (ttl 113, id 46208, len 40)
> 0x0000   4500 0028 b480 0000 7106 4852 ca6d 81cb        E..(....q.HR.m..
> 0x0010   8094 8030 1a0b 0c00 0000 0000 c707 000e        ...0............
> 0x0020   5014 0000 75b2 0000 0000 0000 0000             P...u.........
> 08:19:24.588327 202.109.129.203.6667 > MY.SUB.NET.110.3072: R [tcp sum
> ok]
> 0:0(0) ack 190209852 win 0 (ttl 113, id 62626, len 40)
> 0x0000   4500 0028 f4a2 0000 7106 47f2 ca6d 81cb        E..(....q.G..m..
> 0x0010   8094 406e 1a0b 0c00 0000 0000 0b56 5f3c        .. at n.........V_<
> 0x0020   5014 0000 11f8 0000 0000 0000 0000             P.............
> 08:19:27.530541 202.109.129.203.6667 > MY.SUB.NET.61.1024: R [tcp sum
> ok]
> 0:0(0) ack 3262217088 win 0 (ttl 113, id 34348, len 40)
> 0x0000   4500 0028 862c 0000 7106 cc99 ca6d 81cb        E..(.,..q....m..
> 0x0010   8094 2a3d 1a0b 0400 0000 0000 c271 7b80        ..*=.........q{.
> 0x0020   5014 0000 5cc9 0000 0000 0000 0000             P...\.........



More information about the unisog mailing list