[unisog] Interesting traffic

Peter Van Epp vanepp at sfu.ca
Fri Feb 6 19:07:55 GMT 2004


	As someone else noted (and I should have trigged to because of the 
6667 source port) this is likely backscatter from a DDOS attack with forged
source addresses against an IRC server running on 202.109.129.203 (which 
doesn't resolve in DNS here at the moment). As the real owners of the forged
addresses we get the response traffic from the site being attacked.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

On Fri, Feb 06, 2004 at 01:16:09PM -0500, Laurie Zirkle wrote:
> Yes, I have seen this IP in our logs since Feb 2 also.  I don't have
> any packet captures, only ipfilters and iptables log messages, though.
> The source port for all was 6667 and the destination ports were either
> 1024 or 3072.  It's been logged on at least 10 of my machines, the latest
> being about 4am EST today.
> 
> On Fri, Feb 06, 2004 at 09:29:40AM -0500, Asadoorian, Paul D wrote:
> > This traffic started on my network on Feb. 2nd, at 7:00AM EST STD time.
> > They all originate from 202.109.129.203, all with a source port of 6667
> > TCP, the destination is my entire class B on TCP ports 1024 and 3072.
> > All packets are RST/ACK.  Anyone else seeing this IP hitting their
> > network?  Looks like someone is spoofing our address space, and I have
> > confirmed that at least one other University is seeing this.
> 
> --
> Laurie Zirkle              E-mail: lat at vt.edu      Pager: (540)953-3691
> Unix SysAdmin (ITS III)    Voice: (540)231-6370    Fax: (540)231-3928
> Virginia Tech CNS, Blacksburg VA  24061-0506



More information about the unisog mailing list