[nsp-sec] SYN-ACK backscatter from 60.191.221.41:7000

[Brian Eckman]

Michael,

We see a number of unsolicited SYN ACKs from 218.61.11.32:7000/tcp 
beginning at 2008-04-16 16:19:10 GMT, and ongoing.

We were seeing 20-30 pps of unsolicited SYN ACKs from 
60.191.221.41:7000/tcp at the initial time of your report. We still are.

121.14.151.239 and 58.221.28.35 aren't sending anything our way 
currently - I haven't cut flow data for them.

Brian

Michael Sinatra wrote:
> ----------- nsp-security Confidential --------
> 
> On Wed, 16 Apr 2008, Michael Sinatra wrote:
> 
>> ----------- nsp-security Confidential --------
>>
>> Our darknet is seeing a lot of SYN-ACK backscatter from 60.191.221.41,
>> port 7000.
>>
>> AS      | IP               | AS Name
>> 4134    | 60.191.221.41    | CHINANET-BACKBONE No.31,Jin-rong Street
>>
>> Not sure whether this is a targeted SYN-ACK attack of some sort or
>> whether it is backscatter from a spoofed SYN flood to 60.191.221.41,
>> port 7000.  You may want to check for flows toward 60.191.221.41 just to
>> be on the safe side.
> 
> I am seeing more backscatter-looking activity on port 7000 from AS4134 
> (and one from AS4887) from the following IP addresses:
> 
> 4134    | 121.14.151.239   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 58.221.28.35     | CHINANET-BACKBONE No.31,Jin-rong Street
> 4837    | 218.61.11.32     | CHINA169-BACKBONE CNCGROUP China169 Backbone
> 
> Anyone else seeing (apparent) backscatter SYN-ACKs from these hosts/ASes?
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________


-- 
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance