[nsp-sec] SYN-ACK backscatter from 60.191.221.41:7000
Jason Chambers
jchambers at ucla.edu
Wed Apr 16 18:16:19 EDT 2008
>
> ----------- nsp-security Confidential --------
>
> Our darknet is seeing a lot of SYN-ACK backscatter from 60.191.221.41,
> port 7000.
>
> AS | IP | AS Name
> 4134 | 60.191.221.41 | CHINANET-BACKBONE No.31,Jin-rong Street
>
> Not sure whether this is a targeted SYN-ACK attack of some sort or
> whether it is backscatter from a spoofed SYN flood to 60.191.221.41,
> port 7000. You may want to check for flows toward 60.191.221.41 just to
> be on the safe side.
Surprised this isn't an e-gold or hyip site, they are usually the
popular type of syn-ack generators in our Darknet.
Here's the data for 60.191.221.41
Date| Records| Bytes| Packets|
2008/04/16T17:00:00| 3191.47| 920750.83| 19182.31|
2008/04/16T18:00:00| 8520.33| 2010133.82| 41877.79|
2008/04/16T19:00:00| 11835.99| 1826524.50| 38052.59|
2008/04/16T20:00:00| 12985.28| 1784529.27| 37177.69|
2008/04/16T21:00:00| 15144.00| 2036030.74| 42417.31|
2008/04/16T22:00:00| 145.92| 38942.84| 811.31|
--
Jason Chambers
UCLA
jchambers at ucla.edu
310-206-5603
More information about the nsp-security
mailing list