|
Subject: |
Question: continuous stream of syn packets |
|
From: |
"Mahesh Ramachandran" <rr @
eel .
ufl .
edu> |
|
Organization: |
Electrical Engineering, University of Florida ___ |
|
Date: |
Mon, 7 Aug 1995 05:10:00 -0400 (EDT) |
|
To: |
firewalls @
greatcircle .
com |
|
Cc: |
rr (Mahesh Ramachandran) |
hi,
I've been seeing a continuous stream of TCP SYN packets coming to one of
the hosts on TCP ports 3333 through 3338. There isn't and never was
anything on those ports.
could someone provide me a clue, why a remote host would continously be
trying to access these ports. I've appended a sample tcpdump output
below.
thx
-rr
---------------------------------------------------------------------------
from tcpdump 'tcp[13] & 3 != 0' src ...
11:44:05.00 src-host.2641 > dst-host.3333: S 1943353091:1943353091(0) win 8192 <mss 512,nop,opt-3:00,nop,nop,opt-8:0006fea100000000>
11:44:05.00 src-host.2642 > dst-host.3334: S 1943491933:1943491933(0) win 8192 <mss 512,nop,opt-3:00,nop,nop,opt-8:0006fea100000000>
11:44:05.00 src-host.2643 > dst-host.3335: S 1943652296:1943652296(0) win 8192 <mss 512,nop,opt-3:00,nop,nop,opt-8:0006fea100000000>
11:44:05.00 src-host.2644 > dst-host.3336: S 1943834739:1943834739(0) win 8192 <mss 512,nop,opt-3:00,nop,nop,opt-8:0006fea200000000>
11:44:05.00 src-host.2645 > dst-host.3337: S 1943910593:1943910593(0) win 8192 <mss 512,nop,opt-3:00,nop,nop,opt-8:0006fea200000000>
11:44:06.00 src-host.2646 > dst-host.3338: S 1943978488:1943978488(0) win 8192 <mss 512,nop,opt-3:00,nop,nop,opt-8:0006fea200000000>
11:45:05.00 src-host.2653 > dst-host.3333: S 1959808612:1959808612(0) win 8192 <mss 512,nop,opt-3:00,nop,nop,opt-8:0006ff1800000000>
11:45:05.00 src-host.2654 > dst-host.3334: S 1959885897:1959885897(0) win 8192 <mss 512,nop,opt-3:00,nop,nop,opt-8:0006ff1800000000>
11:45:05.00 src-host.2655 > dst-host.3335: S 1960018804:1960018804(0) win 8192 <mss 512,nop,opt-3:00,nop,nop,opt-8:0006ff1800000000>
11:45:05.00 src-host.2656 > dst-host.3336: S 1960340481:1960340481(0) win 8192 <mss 512,nop,opt-3:00,nop,nop,opt-8:0006ff1900000000>
11:45:05.00 src-host.2657 > dst-host.3337: S 1960404666:1960404666(0) win 8192 <mss 512,nop,opt-3:00,nop,nop,opt-8:0006ff1900000000>
11:45:05.00 src-host.2658 > dst-host.3338: S 1960568529:1960568529(0) win 8192 <mss 512,nop,opt-3:00,nop,nop,opt-8:0006ff1900000000>
from tcpdump -v src ...
12:05:04.976100 src-host.2898 > dst-host.3333: S 2299783809:2299783809(0) win 8192 <mss 512,nop,wscale 0,nop,nop,timestamp 460912 0> (ttl 50, id 50673)
12:05:05.074249 src-host.2899 > dst-host.3334: S 2299873647:2299873647(0) win 8192 <mss 512,nop,wscale 0,nop,nop,timestamp 460912 0> (ttl 50, id 50676)
12:05:05.178567 src-host.2900 > dst-host.3335: S 2299954453:2299954453(0) win 8192 <mss 512,nop,wscale 0,nop,nop,timestamp 460912 0> (ttl 50, id 50681)
12:05:05.282498 src-host.2901 > dst-host.3336: S 2300146817:2300146817(0) win 8192 <mss 512,nop,wscale 0,nop,nop,timestamp 460912 0> (ttl 50, id 50683)
12:05:05.437370 src-host.2902 > dst-host.3337: S 2300409262:2300409262(0) win 8192 <mss 512,nop,wscale 0,nop,nop,timestamp 460913 0> (ttl 50, id 50688)
12:05:05.616838 src-host.2903 > dst-host.3338: S 2300508683:2300508683(0) win 8192 <mss 512,nop,wscale 0,nop,nop,timestamp 460913 0> (ttl 50, id 50690)
------------------------------------------------------------------------------
--
|
|
