Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Tons of Source port 80 to random Dest Port Traffic

from [Tom Hayden] Network Security [Permanent Link]
Subject: Re: Tons of Source port 80 to random Dest Port Traffic
Date: Sun, 21 May 2006 18:27:55 -0400 
Matthew,
Thanks for looking at the traffic. At first, I was thinking a similarthing that 
you were, but this is where I get kind of baffled.
Q1: Ethereal yields *no* outgoing traffic.  Additionally, the trafficI sent 
earlier continues.  There are about 5-10 different IP's (allfrom the same 
consumer DSL equipment) that have a src port of 80 and aconstant dest. port.  
For example. The host 211.7.246.248 *always*sends a src 80 dest 3509 SYN,ACK 
packet.Q2: Host is not a proxy, just a firewalled webserver with only port 
80and 25 open.
Cheers,
Tom
On 5/20/06, Mathew Benwell <mjbenny@internode.on.net> wrote:>>  Hi Tom,>>  I have had a quick look at the ip addresses and on first glance they seem> to be consumer dsl services.>>  Q1. Are there any SYN packets in the capture heading in the other direction> to the same hosts on the same port combination?>  Q2. Is this host a proxy server?>>  If its legitimate traffic:>  The SYN, ACK is the first reply packet when attempting to 
establish a TCP> session after the original SYN packet. This would suggest that the first> packet originated from your host. The static source port of 80 also suggests> that the traffic originated from your host, probably trying to access a web> server. Becuase of the way tcp works, there is always a need for a return> port for traffic coming back to your host. This port is almost always a> random port above 1024, which if you get enough packet captures 
you will> notice that it usually increments upwards. This is what the packet would> suggest if the world was all rosey.>>  If I were suspicious of the traffic (Which I am atm):>  From Q1, Q2, If the host is not a proxy server and there are SYN packets.> This could mean:>      a). You have been compromised by a trojan/virus on the host which is> trying to call home/propogate.>      b). Your host may be compromised and it is launching attacks 
against> other hosts. Maybe a particular make and model of DSL router.>  From Q1, if there were no SYN packets, it could be a DDoS>>  A more accurate idea could be gained from more packets from the> conversation. e.g. the full SYN, SYN ACK, ACK as well as any packets from> the same session.>>  Anyway, not trying to alarm you, but I hope that helps.>>  Cheers>  Mat>>>  Tom Hayden wrote:> Attached is a quick short summary of 
traffic my server ( xx.xx.xx.xx )>  has been bombarded with lately.  It's a short dump from tethereal.  I>  can't seem to figure it out - just tons and tons of traffic coming>  from a source port of 80 to seemingly random dest. ports.  Can someone>  help me identify this?>>  Thanks!>>  -->  Tom>> ________________________________>>  0.000000 205.179.98.153 -> xx.xx.xx.xx TCP www > 1088 [SYN, ACK] Seq=0> Ack=1 Win=4096 Len=0 
MSS=1024>  0.156106 205.179.163.118 -> xx.xx.xx.xx TCP www > 1501 [SYN, ACK] Seq=0> Ack=1 Win=4096 Len=0 MSS=1024>  0.623511 205.179.12.122 -> xx.xx.xx.xx TCP www > 3041 [SYN, ACK] Seq=0> Ack=1 Win=4096 Len=0 MSS=1024>  0.643203 65.217.140.2 -> xx.xx.xx.xx TCP www > 3198 [SYN, ACK] Seq=0 Ack=1> Win=4096 Len=0 MSS=1024>  0.994720 66.89.134.52 -> xx.xx.xx.xx TCP www > 1562 [SYN, ACK] Seq=0 Ack=1> Win=4096 Len=0 MSS=1024>  
1.345049 205.179.149.129 -> xx.xx.xx.xx TCP www > 1944 [SYN, ACK] Seq=0> Ack=1 Win=4096 Len=0 MSS=1024>  1.851040 12.100.155.209 -> xx.xx.xx.xx TCP www > 4062 [SYN, ACK] Seq=0> Ack=1 Win=4096 Len=0 MSS=1024>  2.818835 12.102.14.52 -> xx.xx.xx.xx TCP www > 4813 [SYN, ACK] Seq=0 Ack=1> Win=4096 Len=0 MSS=1024>  3.704693 64.0.131.17 -> xx.xx.xx.xx TCP www > 3444 [SYN, ACK] Seq=0 Ack=1> Win=4096 Len=0 MSS=1024>  3.861277 
12.102.14.94 -> xx.xx.xx.xx TCP www > 4863 [SYN, ACK] Seq=0 Ack=1> Win=4096 Len=0 MSS=1024>  4.583619 209.114.238.97 -> xx.xx.xx.xx TCP www > 3798 [SYN, ACK] Seq=0> Ack=1 Win=4096 Len=0 MSS=1024>  4.594220 66.89.134.50 -> xx.xx.xx.xx TCP www > 1560 [SYN, ACK] Seq=0 Ack=1> Win=4096 Len=0 MSS=1024>  5.270704 12.102.56.76 -> xx.xx.xx.xx TCP www > 4400 [SYN, ACK] Seq=0 Ack=1> Win=4096 Len=0 MSS=1024>  6.319898 209.114.245.90 -> 
xx.xx.xx.xx TCP www > 1678 [SYN, ACK] Seq=0> Ack=1 Win=4096 Len=0 MSS=1024>  6.545658 211.7.246.248 -> xx.xx.xx.xx TCP www > 3509 [SYN, ACK] Seq=0 Ack=1> Win=1024 Len=0 MSS=512 TSV=4157351006 TSER=42941574 WS=0>  6.584370 64.93.0.193 -> xx.xx.xx.xx TCP www > 3371 [SYN, ACK] Seq=0 Ack=1> Win=4096 Len=0 MSS=1024>  6.685362 12.98.248.241 -> xx.xx.xx.xx TCP www > 2672 [SYN, ACK] Seq=0 Ack=1> Win=4096 Len=0 MSS=1024>>  
________________________________>> No virus found in this incoming message.> Checked by AVG Free Edition.> Version: 7.1.392 / Virus Database: 268.6.1/344 - Release Date: 19/05/2006>>>

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: VPN setup for a non-profit, Alexey Eremenko
Next by Date:  RE: RE: Wireless Security (Part 2), Murad Talukdar
Previous by Thread:  Re: Tons of Source port 80 to random Dest Port Traffic, Mathew Benwell
Next by Thread:  RE: Tons of Source port 80 to random Dest Port Traffic, David Gillett
Indexes:  [Date] [Thread] [Top] [All Lists]