[nsp-sec] SYN-ACK backscatter from 60.191.221.41:7000

Patrick Bergen pbergen at uen.org
Wed Apr 16 18:11:58 EDT 2008 

Other ISP's have confirmed that they are seeing the same thing.  Looks like
a bunch of backscatter


On 4/16/08 3:27 PM, "Brian Eckman" <eckman at umn.edu> wrote:

> ----------- nsp-security Confidential --------
> 
> Michael,
> 
> We see a number of unsolicited SYN ACKs from 218.61.11.32:7000/tcp
> beginning at 2008-04-16 16:19:10 GMT, and ongoing.
> 
> We were seeing 20-30 pps of unsolicited SYN ACKs from
> 60.191.221.41:7000/tcp at the initial time of your report. We still are.
> 
> 121.14.151.239 and 58.221.28.35 aren't sending anything our way
> currently - I haven't cut flow data for them.
> 
> Brian
> 
> Michael Sinatra wrote:
>> ----------- nsp-security Confidential --------
>> 
>> On Wed, 16 Apr 2008, Michael Sinatra wrote:
>> 
>>> ----------- nsp-security Confidential --------
>>> 
>>> Our darknet is seeing a lot of SYN-ACK backscatter from 60.191.221.41,
>>> port 7000.
>>> 
>>> AS      | IP               | AS Name
>>> 4134    | 60.191.221.41    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 
>>> Not sure whether this is a targeted SYN-ACK attack of some sort or
>>> whether it is backscatter from a spoofed SYN flood to 60.191.221.41,
>>> port 7000.  You may want to check for flows toward 60.191.221.41 just to
>>> be on the safe side.
>> 
>> I am seeing more backscatter-looking activity on port 7000 from AS4134
>> (and one from AS4887) from the following IP addresses:
>> 
>> 4134    | 121.14.151.239   | CHINANET-BACKBONE No.31,Jin-rong Street
>> 4134    | 58.221.28.35     | CHINANET-BACKBONE No.31,Jin-rong Street
>> 4837    | 218.61.11.32     | CHINA169-BACKBONE CNCGROUP China169 Backbone
>> 
>> Anyone else seeing (apparent) backscatter SYN-ACKs from these hosts/ASes?
>> 
>> 
>> 
>> 
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>> 
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security
>> counter-measures.
>> _______________________________________________
> 

-- 
Patrick Bergen, CISSP
Sr. Systems Security Analyst
UEN Security Office
(801) 949-0777 Cell
(801) 581-4499 Office

More information about the nsp-security mailing list