Anyone else see a massive increase of scanning/dos with TCP source and/or
dst port of 0? We started seeing a massive increase today creating some
issue with our firewalls.
I just scanned through the last 48 hours of logs and did not find anything.
We are peering with Level3 (AS 3549) and Verizon (AS 11486).
srs/dst of 0 as measured how? (tcpdump? netflow? app logs?)
Anyone else see a massive increase of scanning/dos with TCP source and/or
dst port of 0? We started seeing a massive increase today creating some
issue with our firewalls.srs/dst of 0 as measured how? (tcpdump? netflow? app logs?)
No, however I am seeing an increase in unsolicited syn-ack packets with
a wider
variety of "from" ports (many 80 still, used to be almost all) but some
22, 113, 4000, 600x,
and high "from" ports with "to" ports of 3072 and 1024, many to ip addrs
that are not
targets of A records, so appear to be indiscriminate scans...
Source IP's all over the place as expected. Don't know if it is
tcptraceroute in a strange mode,
or OS fingerprinting attempts, or both. Also don't know if the sources
are spoofs or not (rather hard
to tell...) Sources don't seem to match up with syn-only packets
either, at least on the same day.
-- Pete
Not seeing a ton of them, but do see a few logged on most all of our
server like:
Mar 5 07:49:13 server kernel: Shorewall:logflags:DROP:IN=eth2 OUT=
MAC=00:07:e9:0f:39:f1:00:03:31:a5:74:00:08:00 SRC=178.18.16.101
DST=x.x.x.x LEN=56 TOS=0x00 PREC=0x00 TTL=204 ID=49665 DF PROTO=TCP
SPT=0 DPT=0 WINDOW=37009 RES=0x14 URG ACK RST SYN FIN URGP=37422
Out of curiosity -
Is it possible it's a command and control network, rather than
directly an attack?