[unisog] Interesting traffic
Peter Van Epp
vanepp at sfu.ca
Fri Feb 6 19:07:55 GMT 2004
As someone else noted (and I should have trigged to because of the
6667 source port) this is likely backscatter from a DDOS attack with forged
source addresses against an IRC server running on 184.108.40.206 (which
doesn't resolve in DNS here at the moment). As the real owners of the forged
addresses we get the response traffic from the site being attacked.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
On Fri, Feb 06, 2004 at 01:16:09PM -0500, Laurie Zirkle wrote:
> Yes, I have seen this IP in our logs since Feb 2 also. I don't have
> any packet captures, only ipfilters and iptables log messages, though.
> The source port for all was 6667 and the destination ports were either
> 1024 or 3072. It's been logged on at least 10 of my machines, the latest
> being about 4am EST today.
> On Fri, Feb 06, 2004 at 09:29:40AM -0500, Asadoorian, Paul D wrote:
> > This traffic started on my network on Feb. 2nd, at 7:00AM EST STD time.
> > They all originate from 220.127.116.11, all with a source port of 6667
> > TCP, the destination is my entire class B on TCP ports 1024 and 3072.
> > All packets are RST/ACK. Anyone else seeing this IP hitting their
> > network? Looks like someone is spoofing our address space, and I have
> > confirmed that at least one other University is seeing this.
> Laurie Zirkle E-mail: lat at vt.edu Pager: (540)953-3691
> Unix SysAdmin (ITS III) Voice: (540)231-6370 Fax: (540)231-3928
> Virginia Tech CNS, Blacksburg VA 24061-0506
More information about the unisog