Hi Tom,
I have had a quick look at the ip addresses and on first glance they
seem to be consumer dsl services.
Q1. Are there any SYN packets in the capture heading in the other
direction to the same hosts on the same port combination?
Q2. Is this host a proxy server?
If its legitimate traffic:
The SYN, ACK is the first reply packet when attempting to establish a
TCP session after the original SYN packet. This would suggest that the
first packet originated from your host. The static source port of 80
also suggests that the traffic originated from your host, probably
trying to access a web server. Becuase of the way tcp works, there is
always a need for a return port for traffic coming back to your host.
This port is almost always a random port above 1024, which if you get
enough packet captures you will notice that it usually increments
upwards. This is what the packet would suggest if the world was all rosey.
If I were suspicious of the traffic (Which I am atm):
>From Q1, Q2, If the host is not a proxy server and there are SYN
packets. This could mean:
a). You have been compromised by a trojan/virus on the host which is
trying to call home/propogate.
b). Your host may be compromised and it is launching attacks against
other hosts. Maybe a particular make and model of DSL router.
>From Q1, if there were no SYN packets, it could be a DDoS
A more accurate idea could be gained from more packets from the
conversation. e.g. the full SYN, SYN ACK, ACK as well as any packets
from the same session.
Anyway, not trying to alarm you, but I hope that helps.
Cheers
Mat
Tom Hayden wrote:
Attached is a quick short summary of traffic my server ( xx.xx.xx.xx )
has been bombarded with lately. It's a short dump from tethereal. I
can't seem to figure it out - just tons and tons of traffic coming
from a source port of 80 to seemingly random dest. ports. Can someone
help me identify this?
Thanks!
--
Tom
------------------------------------------------------------------------
0.000000 205.179.98.153 -> xx.xx.xx.xx TCP www > 1088 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
0.156106 205.179.163.118 -> xx.xx.xx.xx TCP www > 1501 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
0.623511 205.179.12.122 -> xx.xx.xx.xx TCP www > 3041 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
0.643203 65.217.140.2 -> xx.xx.xx.xx TCP www > 3198 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
0.994720 66.89.134.52 -> xx.xx.xx.xx TCP www > 1562 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
1.345049 205.179.149.129 -> xx.xx.xx.xx TCP www > 1944 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
1.851040 12.100.155.209 -> xx.xx.xx.xx TCP www > 4062 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
2.818835 12.102.14.52 -> xx.xx.xx.xx TCP www > 4813 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
3.704693 64.0.131.17 -> xx.xx.xx.xx TCP www > 3444 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
3.861277 12.102.14.94 -> xx.xx.xx.xx TCP www > 4863 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
4.583619 209.114.238.97 -> xx.xx.xx.xx TCP www > 3798 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
4.594220 66.89.134.50 -> xx.xx.xx.xx TCP www > 1560 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
5.270704 12.102.56.76 -> xx.xx.xx.xx TCP www > 4400 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
6.319898 209.114.245.90 -> xx.xx.xx.xx TCP www > 1678 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
6.545658 211.7.246.248 -> xx.xx.xx.xx TCP www > 3509 [SYN, ACK] Seq=0 Ack=1 Win=1024 Len=0 MSS=512 TSV=4157351006 TSER=42941574 WS=0
6.584370 64.93.0.193 -> xx.xx.xx.xx TCP www > 3371 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
6.685362 12.98.248.241 -> xx.xx.xx.xx TCP www > 2672 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1024
------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.392 / Virus Database: 268.6.1/344 - Release Date: 19/05/2006
