Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Port 7000 (Apple File Share) DoS/DDoS underway

from [Christine Kronberg] Network Security [Permanent Link]
Subject: Re: Port 7000 (Apple File Share) DoS/DDoS underway
Date: Wed, 22 Sep 2004 09:03:57 +0200 (CEST) 
On Mon, 20 Sep 2004, David Gillett wrote:

 A handful of machines, nowhere near me (network prefixes
218, 211, and 61) seem to be sending a mix of SYN-ACK and
RST packets, all with a source port of 7000, to assorted
(random) addresses in my public Class B range.


  I have seen the very same for a longer period of time. But
  the "scanning" was by not alway random. Sometimes a customers
  entire /16 network was scanned, sometimes only two hosts
  were the targets.

 I expect this means that someone is spoofing random source
addresses -- many of them in my range, but who knows how many
in others... -- and ports and SYN-flooding those half-dozen
machines.


  Out of curiosity I scanned the sending host with nmap (from
  my own computer) just to find (after an endless time) nearly
  any port open. I remember have read something about but forgot
  about the details.
  My explanation was/is, that the host sending these packets
  (was indeed in most cases the same IP) was owned and "opened"
  for scanning by whoever wanted to do that.
  If someone can come up with a better explanation I'd love
  to hear it. :-)

  Cheers,


                                             Chris Kronberg.


--
GeNUA mbH

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: unusual 1.11.0.0/16 outbound traffic, Andrew Heath
Next by Date:  Re: Port 7000 (Apple File Share) DoS/DDoS underway, Chris Krough
Previous by Thread:  Port 7000 (Apple File Share) DoS/DDoS underway, David Gillett
Next by Thread:  Re: Port 7000 (Apple File Share) DoS/DDoS underway, Daniel Hanson
Indexes:  [Date] [Thread] [Top] [All Lists]