Fred Portnoy fportnoy at mail.plymouth.edu
Wed Feb 18 20:18:03 GMT 2004

Is this all the same source address - I can't tell if you obfuscated the
last two octets for a single source, or if it is for multiple hosts with
non-sequential ephermeral ports.  

-multiple hosts

Does the destination address exist on your network? 


thanks for responses


-----Original Message-----
From: Joshua Wright [mailto:Joshua.Wright at jwu.edu] 
Sent: Wednesday, February 18, 2004 3:07 PM
To: fportnoy at mail.plymouth.edu; unisog at sans.org
Subject: RE: [unisog]


Fred Portnoy wrote:

> 14:02:49.983715 resnet172-163.zzzz.xxxx.2274 > S
> 348716395:348716395(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 
> 14:02:50.027129 resnet172-163.zzzz.xxxx.2278 > S
> 351253825:351253825(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 
> 14:02:50.514267 resnet168-238.zzzz.xxxx.4029 > S
> 450499653:450499653(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 
> 14:02:50.660068 resnet172-163.zzzz.xxxx.2279 > S
> 351456133:351456133(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 
> 14:02:51.104998 resnet172-163.zzzz.xxxx.2275 > S
> 349055959:349055959(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 
> 14:02:51.208971 resnet172-163.zzzz.xxxx.2280 > S
> 351634594:351634594(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)

I haven't seen this before, but it certainly looks anomalous.  

Best to get someone over to where this resnet machine is (or where these
machines are) and take them off the network, followed by some forensics to
determine what is causing this traffic.


-Joshua Wright
Joshua.Wright at jwu.edu

More information about the unisog mailing list