[nsp-sec] SYN-ACK backscatter from 60.191.221.41:7000
Michael Sinatra
michael at rancid.berkeley.edu
Wed Apr 16 17:01:26 EDT 2008
On Wed, 16 Apr 2008, Michael Sinatra wrote:
> ----------- nsp-security Confidential --------
>
> Our darknet is seeing a lot of SYN-ACK backscatter from 60.191.221.41,
> port 7000.
>
> AS | IP | AS Name
> 4134 | 60.191.221.41 | CHINANET-BACKBONE No.31,Jin-rong Street
>
> Not sure whether this is a targeted SYN-ACK attack of some sort or
> whether it is backscatter from a spoofed SYN flood to 60.191.221.41,
> port 7000. You may want to check for flows toward 60.191.221.41 just to
> be on the safe side.
I am seeing more backscatter-looking activity on port 7000 from AS4134
(and one from AS4887) from the following IP addresses:
4134 | 121.14.151.239 | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 58.221.28.35 | CHINANET-BACKBONE No.31,Jin-rong Street
4837 | 218.61.11.32 | CHINA169-BACKBONE CNCGROUP China169 Backbone
Anyone else seeing (apparent) backscatter SYN-ACKs from these hosts/ASes?
More information about the nsp-security
mailing list