Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DoS attacks using ports 31800, 31900 ?

from [Deapesh Misra] Network Security [Permanent Link]
Subject: Re: DoS attacks using ports 31800, 31900 ?
Date: Tue, 6 Feb 2007 10:36:33 -0500
On 2/2/07, David Gillett <gillettdavid@fhda.edu> wrote: 
  A certain amount of the packets that arrive at our gateway
are blowback, remote hosts responding to traffic where an
address in our block was forged as the source.  These are
most often ICMP Port Unreachables generated by UDP Windows
Messenger spam, with SYN-ACKs from port 80 running a distant
second.

  Within the last 24-48 hours, I've noticed something new:
significant numbers of SYN-ACKs from port 31800, and a
smaller number from 31900, from less than a dozen addresses
scattered around the Internet.  None of those addresses has
yet resolved via rDNS.


<SNIP>

  IP Address    Port            Count

60.31.208.10    31800           3100
60.190.108.57   31800           3500
60.191.0.2              31800           26      late start
61.142.160.181  31800           4200
124.243.201.171 31800           3100
125.64.16.79    31800           4500

<SNIP>

David Gillett 

It is interesting to note that all these IP addresses are located in
the same country -China.

If you look at the port report for port 31900 from ISC SANS, it shows
a peak in the same date range you saw this happen:
http://isc.sans.org/port.html?port=31900

_____________________________
-Deapesh Misra

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Tracking down random ICMP, Frank Knobbe
Next by Date:  Announcing a global view on Internet events: ATLAS, Jose Nazario
Previous by Thread:  DoS attacks using ports 31800, 31900 ?, David Gillett
Next by Thread:  Re: Tracking down random ICMP, Frank Knobbe
Indexes:  [Date] [Thread] [Top] [All Lists]