[nsp-sec] Attack heading to 193.138.195.114

Darren Grabowski drg at us.ntt.net
Wed Feb 4 19:10:22 EST 2009 

We have a customer who is getting hit on 193.138.195.114.  It looks like
the attacker is forging their IP in this attack.  We have this filtered,
but if anyone has other insight into this I'd appreciate it.  It has been
a long day and the coffee has run out :)

Here is the snippit of the logs that we received.

   01:43:24.266923 IP (tos 0x0, ttl  51, id 26513, offset 0, flags              
[DF], proto: TCP (6), length: 60) 193.138.195.114.oma-rlp >                     
89.47.1.99.http: S, cksum 0x11fd (correct), 1430798463:1430798463(0) win        
32120 <mss 1460,sackOK,timestamp 2547547 1191182336,nop,wscale 0>               
01:43:24.266926 IP (tos 0x0, ttl  51, id 56777, offset 0, flags [DF],           
proto: TCP (6), length: 60) 193.138.195.114.26723 > 89.47.1.40.http: S,
cksum 0xd536 (correct), 3459357301:3459357301(0) win 32120 <mss
1460,sackOK,timestamp 13178336 771751936,nop,wscale 0>
01:43:24.266930 IP (tos 0x0, ttl  51, id 705, offset 0, flags [DF],
proto: TCP (6), length: 60) 193.138.195.114.49081 > 89.47.2.9.http: S,
cksum 0xcb59 (correct), 1196763519:1196763519(0) win 32120 <mss
1460,sackOK,timestamp 14449221 1929379840,nop,wscale 0>
01:43:24.266933 IP (tos 0x0, ttl  48, id 43443, offset 0, flags [DF],
proto: TCP (6), length: 60) 193.138.195.114.43611 > 193.138.195.10.http:
S, cksum 0xf9af (correct), 2997280092:2997280092(0) win 32120 <mss
1460,sackOK,timestamp 13775051 1526726656,nop,wscale 0>
01:43:24.266937 IP (tos 0x0, ttl  51, id 34499, offset 0, flags [DF],
proto: TCP (6), length: 60) 193.138.195.114.19144 > 193.138.193.37.http:
S, cksum 0x66b8 (correct), 52598887:52598887(0) win 32120 <mss
1460,sackOK,timestamp 4732735 1040187392,nop,wscale 0>
01:43:24.266940 IP (tos 0x0, ttl  51, id 25874, offset 0, flags [DF],
proto: TCP (6), length: 60) 193.138.195.114.29418 > 193.138.192.2.http:         
S, cksum 0xa978 (correct), 3892486777:3892486777(0) win 32120 <mss              
1460,sackOK,timestamp 11314216 2013265920,nop,wscale 0>                         
01:43:24.266944 IP (tos 0x0, ttl  51, id 27520, offset 0, flags [DF],           
proto: TCP (6), length: 60) 193.138.195.114.59899 >                             
193.138.193.165.http: S, cksum 0x624d (correct),                                
3456356161:3456356161(0) win 32120 <mss 1460,sackOK,timestamp 12744640
1610612736,nop,wscale 0>                                                        
01:43:24.267148 IP (tos 0x0, ttl  51, id 62300, offset 0, flags [DF],
proto: TCP (6), length: 60) 193.138.195.114.14986 > 193.138.192.1.http:
S, cksum 0xd14d (correct), 260680292:260680292(0) win 32120 <mss
1460,sackOK,timestamp 5474716 1946157056,nop,wscale 0>                          
01:43:24.267156 IP (tos 0x0, ttl  51, id 46751, offset 0, flags [DF],
proto: TCP (6), length: 60) 193.138.195.114.olhost >                            
193.138.193.157.http: S, cksum 0xae00 (correct),                                
3821301835:3821301835(0) win 32120 <mss 1460,sackOK,timestamp 1276304
1006632960,nop,wscale 0>                                                        
01:43:24.267401 IP (tos 0x0, ttl  51, id 3664, offset 0, flags [DF],            
proto: TCP (6), length: 60) 193.138.195.114.5650 > 86.107.61.11.http: S,
cksum 0xc7f1 (correct), 568413205:568413205(0) win 32120 <mss
1460,sackOK,timestamp 4928390 838860800,nop,wscale 0>
01:43:24.267409 IP (tos 0x0, ttl  48, id 20299, offset 0, flags [DF],           
proto: TCP (6), length: 60) 193.138.195.114.44828 >                             
193.138.193.108.http: S, cksum 0x0870 (correct), 990076949:990076949(0)         
win 32120 <mss 1460,sackOK,timestamp 6686015 1778384896,nop,wscale 0>


-- 
Darren Grabowski - Manager                                  w: 214-915-1387
NTT America Security & Abuse Team                           c: 214-934-1788

More information about the nsp-security mailing list