[nsp-sec] SYN-ACK backscatter from 60.191.221.41:7000
Matthew.Swaar at us-cert.gov
Matthew.Swaar at us-cert.gov
Wed Apr 16 18:17:42 EDT 2008
TCP-7000 (apparent) backscatter. I have to caveat this by saying that I
didn't pull any flows prior to 4/15.
sIP| Bytes| Packets| Records| Start_Time|
End_Time|
218.61.17.59| 103218256| 2150983| 1994200| 2008/04/15T14:09:42|
2008/04/16T22:11:30|
58.221.28.35| 142941984| 2977958| 2812317| 2008/04/15T04:57:40|
2008/04/16T18:10:24|
218.61.11.85| 55166688| 1149306| 1143996| 2008/04/16T16:10:57|
2008/04/16T22:11:30|
222.189.228.62| 58439512| 1217490| 1211066| 2008/04/16T13:01:58|
2008/04/16T22:11:29|
60.191.221.41| 337959120| 7040815| 3063883| 2008/04/16T17:24:49|
2008/04/16T22:11:30|
AS | IP | AS Name
4837 | 218.61.17.59 | CHINA169-BACKBONE CNCGROUP China169
Backbone
4134 | 58.221.28.35 | CHINANET-BACKBONE No.31,Jin-rong Street
4837 | 218.61.11.85 | CHINA169-BACKBONE CNCGROUP China169
Backbone
4134 | 222.189.228.62 | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 60.191.221.41 | CHINANET-BACKBONE No.31,Jin-rong Street
I see no outbound tfc that corresponds to this.
V/R,
Matt Swaar
US-CERT Analyst
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Brian Eckman
Sent: Wednesday, April 16, 2008 5:28 PM
To: Michael Sinatra
Cc: NSP-Sec
Subject: Re: [nsp-sec] SYN-ACK backscatter from 60.191.221.41:7000
----------- nsp-security Confidential --------
Michael,
We see a number of unsolicited SYN ACKs from 218.61.11.32:7000/tcp
beginning at 2008-04-16 16:19:10 GMT, and ongoing.
We were seeing 20-30 pps of unsolicited SYN ACKs from
60.191.221.41:7000/tcp at the initial time of your report. We still are.
121.14.151.239 and 58.221.28.35 aren't sending anything our way
currently - I haven't cut flow data for them.
Brian
Michael Sinatra wrote:
> ----------- nsp-security Confidential --------
>
> On Wed, 16 Apr 2008, Michael Sinatra wrote:
>
>> ----------- nsp-security Confidential --------
>>
>> Our darknet is seeing a lot of SYN-ACK backscatter from
>> 60.191.221.41, port 7000.
>>
>> AS | IP | AS Name
>> 4134 | 60.191.221.41 | CHINANET-BACKBONE No.31,Jin-rong Street
>>
>> Not sure whether this is a targeted SYN-ACK attack of some sort or
>> whether it is backscatter from a spoofed SYN flood to 60.191.221.41,
>> port 7000. You may want to check for flows toward 60.191.221.41 just
>> to be on the safe side.
>
> I am seeing more backscatter-looking activity on port 7000 from AS4134
> (and one from AS4887) from the following IP addresses:
>
> 4134 | 121.14.151.239 | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134 | 58.221.28.35 | CHINANET-BACKBONE No.31,Jin-rong Street
> 4837 | 218.61.11.32 | CHINA169-BACKBONE CNCGROUP China169
Backbone
>
> Anyone else seeing (apparent) backscatter SYN-ACKs from these
hosts/ASes?
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security community. Confidentiality is essential for effective
Internet security counter-measures.
> _______________________________________________
--
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
More information about the nsp-security
mailing list