[nsp-sec] SYN-ACK backscatter from 60.191.221.41:7000

Patrick Bergen pbergen at uen.org
Wed Apr 16 18:15:32 EDT 2008 

Sorry for the spam 

.. Was trying to reply to one of my co-workers (also NSP..) pasted wrong
buffer...  


On 4/16/08 4:11 PM, "Patrick Bergen" <pbergen at uen.org> wrote:

> ----------- nsp-security Confidential --------
> 
> Other ISP's have confirmed that they are seeing the same thing.  Looks like
> a bunch of backscatter
> 
> 
> On 4/16/08 3:27 PM, "Brian Eckman" <eckman at umn.edu> wrote:
> 
>> ----------- nsp-security Confidential --------
>> 
>> Michael,
>> 
>> We see a number of unsolicited SYN ACKs from 218.61.11.32:7000/tcp
>> beginning at 2008-04-16 16:19:10 GMT, and ongoing.
>> 
>> We were seeing 20-30 pps of unsolicited SYN ACKs from
>> 60.191.221.41:7000/tcp at the initial time of your report. We still are.
>> 
>> 121.14.151.239 and 58.221.28.35 aren't sending anything our way
>> currently - I haven't cut flow data for them.
>> 
>> Brian
>> 
>> Michael Sinatra wrote:
>>> ----------- nsp-security Confidential --------
>>> 
>>> On Wed, 16 Apr 2008, Michael Sinatra wrote:
>>> 
>>>> ----------- nsp-security Confidential --------
>>>> 
>>>> Our darknet is seeing a lot of SYN-ACK backscatter from 60.191.221.41,
>>>> port 7000.
>>>> 
>>>> AS      | IP               | AS Name
>>>> 4134    | 60.191.221.41    | CHINANET-BACKBONE No.31,Jin-rong Street
>>>> 
>>>> Not sure whether this is a targeted SYN-ACK attack of some sort or
>>>> whether it is backscatter from a spoofed SYN flood to 60.191.221.41,
>>>> port 7000.  You may want to check for flows toward 60.191.221.41 just to
>>>> be on the safe side.
>>> 
>>> I am seeing more backscatter-looking activity on port 7000 from AS4134
>>> (and one from AS4887) from the following IP addresses:
>>> 
>>> 4134    | 121.14.151.239   | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 58.221.28.35     | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4837    | 218.61.11.32     | CHINA169-BACKBONE CNCGROUP China169 Backbone
>>> 
>>> Anyone else seeing (apparent) backscatter SYN-ACKs from these hosts/ASes?
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>> 
>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>>> community. Confidentiality is essential for effective Internet security
>>> counter-measures.
>>> _______________________________________________
>> 

-- 
Patrick Bergen, CISSP
Sr. Systems Security Analyst
UEN Security Office
(801) 949-0777 Cell
(801) 581-4499 Office

More information about the nsp-security mailing list