[unisog] 10.10.10.10:36278

Joshua Wright Joshua.Wright at jwu.edu
Wed Feb 18 20:06:39 GMT 2004


Fred,

Fred Portnoy wrote:

> 14:02:49.983715 resnet172-163.zzzz.xxxx.2274 > 10.10.10.10.36278: S
> 348716395:348716395(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 14:02:50.027129 resnet172-163.zzzz.xxxx.2278 > 10.10.10.10.36278: S
> 351253825:351253825(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 14:02:50.514267 resnet168-238.zzzz.xxxx.4029 > 10.10.10.10.36278: S
> 450499653:450499653(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 14:02:50.660068 resnet172-163.zzzz.xxxx.2279 > 10.10.10.10.36278: S
> 351456133:351456133(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 14:02:51.104998 resnet172-163.zzzz.xxxx.2275 > 10.10.10.10.36278: S
> 349055959:349055959(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 14:02:51.208971 resnet172-163.zzzz.xxxx.2280 > 10.10.10.10.36278: S
> 351634594:351634594(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)

I haven't seen this before, but it certainly looks anomalous.  Is this all the same source address - I can't tell if you obfuscated the last two octets for a single source, or if it is for multiple hosts with non-sequential ephermeral ports.  Does the destination address exist on your network?

Best to get someone over to where this resnet machine is (or where these machines are) and take them off the network, followed by some forensics to determine what is causing this traffic.

HTH,

-Joshua Wright
Joshua.Wright at jwu.edu



More information about the unisog mailing list